From 579be921f509fb9d2deccc4233496e36b221abb3 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 7 Nov 2025 14:39:13 +0000 Subject: [PATCH] hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In fimd_update_memory_section() we attempt ot find and map part of the RAM MR which backs the framebuffer, based on guest-configurable size and start address. If the guest configures framebuffer settings which result in a zero-sized framebuffer, we hit an assertion(), because memory_region_find() will return a NULL mem_section.mr. Explicitly check for the zero-size case and treat this as a guest error. Because we now have a code path which can reach error_return without calling memory_region_find to set w->mem_section, we must NULL out w->mem_section.mr after the unref of the old MR, so that error_return does not incorrectly double-unref the old MR. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1407 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20251107143913.1341358-1-peter.maydell@linaro.org --- hw/display/exynos4210_fimd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c index 6b1eb43987..49c180fec0 100644 --- a/hw/display/exynos4210_fimd.c +++ b/hw/display/exynos4210_fimd.c @@ -1146,6 +1146,13 @@ static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win) if (w->mem_section.mr) { memory_region_set_log(w->mem_section.mr, false, DIRTY_MEMORY_VGA); memory_region_unref(w->mem_section.mr); + w->mem_section.mr = NULL; + } + + if (w->fb_len == 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "FIMD: Guest config means framebuffer is zero length\n"); + goto error_return; } w->mem_section = memory_region_find(s->fbmem, fb_start_addr, w->fb_len); -- 2.47.3