From: Peter Maydell Date: Fri, 7 Nov 2025 14:39:13 +0000 (+0000) Subject: hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section() X-Git-Tag: v10.2.0-rc2~8^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=579be921f509fb9d2deccc4233496e36b221abb3;p=thirdparty%2Fqemu.git hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section() In fimd_update_memory_section() we attempt ot find and map part of the RAM MR which backs the framebuffer, based on guest-configurable size and start address. If the guest configures framebuffer settings which result in a zero-sized framebuffer, we hit an assertion(), because memory_region_find() will return a NULL mem_section.mr. Explicitly check for the zero-size case and treat this as a guest error. Because we now have a code path which can reach error_return without calling memory_region_find to set w->mem_section, we must NULL out w->mem_section.mr after the unref of the old MR, so that error_return does not incorrectly double-unref the old MR. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1407 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251107143913.1341358-1-peter.maydell@linaro.org --- diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c index 6b1eb43987..49c180fec0 100644 --- a/hw/display/exynos4210_fimd.c +++ b/hw/display/exynos4210_fimd.c @@ -1146,6 +1146,13 @@ static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win) if (w->mem_section.mr) { memory_region_set_log(w->mem_section.mr, false, DIRTY_MEMORY_VGA); memory_region_unref(w->mem_section.mr); + w->mem_section.mr = NULL; + } + + if (w->fb_len == 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "FIMD: Guest config means framebuffer is zero length\n"); + goto error_return; } w->mem_section = memory_region_find(s->fbmem, fb_start_addr, w->fb_len);