We check end of screen before writing the pixel but before that complement color also accesses screen pixel so we have to check before that. This fixes a segmentation fault with guest_hwcursor when pointer is partially out of screen at lower right corner.
Signed-off-by: BALATON Zoltan <[email protected]> --- hw/display/ati.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/display/ati.c b/hw/display/ati.c index 7543065456..9fb798b3e9 100644 --- a/hw/display/ati.c +++ b/hw/display/ati.c @@ -216,6 +216,9 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y) uint8_t abits = vga_read_byte(vga, srcoff + i); uint8_t xbits = vga_read_byte(vga, srcoff + i + 8); for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1, idx++) { + if (vga->hw_cursor_x + idx >= h) { + return; /* end of screen, don't span to next line */ + } if (abits & BIT(7)) { if (xbits & BIT(7)) { color = dp[idx] ^ 0xffffffff; /* complement */ @@ -226,9 +229,6 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y) color = (xbits & BIT(7) ? s->regs.cur_color1 : s->regs.cur_color0) | 0xff000000; } - if (vga->hw_cursor_x + idx >= h) { - return; /* end of screen, don't span to next line */ - } dp[idx] = color; } } -- 2.41.3
