In fimd_update_memory_section() we attempt ot find and map part of the RAM MR which backs the framebuffer, based on guest-configurable size and start address.
If the guest configures framebuffer settings which result in a zero-sized framebuffer, we hit an assertion(), because memory_region_find() will return a NULL mem_section.mr. Explicitly check for the zero-size case and treat this as a guest error. Because we now have a code path which can reach error_return without calling memory_region_find to set w->mem_section, we must NULL out w->mem_section.mr after the unref of the old MR, so that error_return does not incorrectly double-unref the old MR. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1407 Signed-off-by: Peter Maydell <[email protected]> --- hw/display/exynos4210_fimd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c index c61e0280a7c..eec874d0b1d 100644 --- a/hw/display/exynos4210_fimd.c +++ b/hw/display/exynos4210_fimd.c @@ -1147,6 +1147,13 @@ static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win) if (w->mem_section.mr) { memory_region_set_log(w->mem_section.mr, false, DIRTY_MEMORY_VGA); memory_region_unref(w->mem_section.mr); + w->mem_section.mr = NULL; + } + + if (w->fb_len == 0) { + qemu_log_mask(LOG_GUEST_ERROR, + "FIMD: Guest config means framebuffer is zero length\n"); + goto error_return; } w->mem_section = memory_region_find(s->fbmem, fb_start_addr, w->fb_len); -- 2.43.0
