From a8fbaf96e0791d72078d22b75c5f3c1f1d1ee45d Mon Sep 17 00:00:00 2001
From: balrog <balrog@c046a42c-6fe2-441c-8c8c-71466251a162>
Date: Thu, 6 Mar 2008 20:43:34 +0000
Subject: [PATCH] Check for out of range update regions (original patch from
 Anthony Liguori).

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4024 c046a42c-6fe2-441c-8c8c-71466251a162
---
 hw/vmware_vga.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 54c320a2c4..f2ffa211de 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -291,12 +291,33 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
                 int x, int y, int w, int h)
 {
 #ifndef DIRECT_VRAM
-    int line = h;
-    int bypl = s->bypp * s->width;
-    int width = s->bypp * w;
-    int start = s->bypp * x + bypl * y;
-    uint8_t *src = s->vram + start;
-    uint8_t *dst = s->ds->data + start;
+    int line;
+    int bypl;
+    int width;
+    int start;
+    uint8_t *src;
+    uint8_t *dst;
+
+    if (x + w > s->width) {
+        fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+                        __FUNCTION__, x, w);
+        x = MIN(x, s->width);
+        w = s->width - x;
+    }
+
+    if (y + h > s->height) {
+        fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+                        __FUNCTION__, y, h);
+        y = MIN(y, s->height);
+        h = s->height - y;
+    }
+
+    line = h;
+    bypl = s->bypp * s->width;
+    width = s->bypp * w;
+    start = s->bypp * x + bypl * y;
+    src = s->vram + start;
+    dst = s->ds->data + start;
 
     for (; line > 0; line --, src += bypl, dst += bypl)
         memcpy(dst, src, width);