On Mon, Nov 28, 2022 at 04:41:14PM +0100, Philippe Mathieu-Daudé wrote: > On 28/11/22 16:08, Gerd Hoffmann wrote: > > > @@ -228,7 +230,7 @@ static void qxl_unpack_chunks(void *dest, size_t > > > size, PCIQXLDevice *qxl, > > > if (offset == size) { > > > return; > > > } > > > - chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); > > > + chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, bytes); > > > if (!chunk) { > > > return; > > > } > > > > Naa, its not that simple. You get a QXLDataChunk passed in which > > typically is verified *excluding* dynamically-sized chunk->data. > > OK so IIUC 1/ this line should be: > > chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, > sizeof(QXLDataChunk));
Depends on whenever you do (2) inside or outside the loop ;) > but 2/ we should check chunk->data[chunk->data_size] is valid (within > the MR) before calling the memcpy(), right? Yes. take care, Gerd