> @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t size, > PCIQXLDevice *qxl, > if (offset == size) { > return; > } > - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); > + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, bytes); > if (!chunk) { > return; > }
Naa, its not that simple. You get a QXLDataChunk passed in which typically is verified *excluding* dynamically-sized chunk->data. Also at least one code path (processing SPICE_CURSOR_TYPE_MONO in qxl_cursor) goes access chunk.data[] without calling qxl_unpack_chunks(), that needs additional verification too (or switch it to call qxl_unpack_chunks, or just drop it because nobody uses mono chrome cursors anyway). take care, Gerd