qemu/hw/misc
Peter Maydell 5d64275517 hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE
The documentation of the "Set palette" mailbox property at
https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface#set-palette
says it has the form:

    Length: 24..1032
    Value:
        u32: offset: first palette index to set (0-255)
        u32: length: number of palette entries to set (1-256)
        u32...: RGBA palette values (offset to offset+length-1)

We get this wrong in a couple of ways:
 * we aren't checking the offset and length are in range, so the guest
   can make us spin for a long time by providing a large length
 * the bounds check on our loop is wrong: we should iterate through
   'length' palette entries, not 'length - offset' entries

Fix the loop to implement the bounds checks and get the loop
condition right. In the process, make the variables local to
this switch case, rather than function-global, so it's clearer
what type they are when reading the code.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20240723131029.1159908-2-peter.maydell@linaro.org
(cherry picked from commit 0892fffc2a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fix due to lack of
 v9.0.0-1812-g5d5f1b60916a "hw/misc: Implement mailbox properties for customer OTP and device specific private keys"
 v8.0.0-1924-g251918266666 "hw/misc/bcm2835_property: Use 'raspberrypi-fw-defs.h' definitions"
 also remove now-unused local `n' variable which gets removed in the next change in this file,
 v9.0.0-2720-g32f1c201eedf "hw/misc/bcm2835_property: Avoid overflow in OTP access properties")
2024-08-02 10:19:03 +03:00
..
macio hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
a9scu.c
allwinner-cpucfg.c
allwinner-h3-ccu.c
allwinner-h3-dramc.c
allwinner-h3-sysctrl.c
allwinner-sid.c qdev: Move softmmu properties to qdev-properties-system.h 2020-12-18 15:20:17 -05:00
applesmc.c hw/misc/applesmc: Fix memory leak in reset() handler 2024-04-10 19:38:01 +03:00
arm11scu.c
arm_integrator_debug.c arm: Update infocenter.arm.com URLs 2021-02-11 11:50:14 +00:00
arm_l2x0.c
arm_sysctl.c
armsse-cpu-pwrctrl.c hw/misc/sse-cpu-pwrctrl: Implement SSE-300 CPU<N>_PWRCTRL register block 2021-03-08 17:20:02 +00:00
armsse-cpuid.c hw/arm/mps2: Update old infocenter.arm.com URLs 2021-03-08 11:54:16 +00:00
armsse-mhu.c hw/arm/mps2: Update old infocenter.arm.com URLs 2021-03-08 11:54:16 +00:00
armv7m_ras.c arm: Move M-profile RAS register block into its own device 2021-09-01 11:08:18 +01:00
aspeed_hace.c aspeed/hace: Initialize g_autofree pointer 2023-06-16 16:15:56 +03:00
aspeed_i3c.c hw/misc/aspeed_i3c.c: Introduce a dummy AST2600 I3C model. 2022-01-20 11:47:53 +00:00
aspeed_lpc.c hw/misc: Model KCS devices in the Aspeed LPC controller 2021-03-09 12:01:28 +01:00
aspeed_peci.c hw/misc/aspeed: Add PECI controller 2022-06-30 09:21:14 +02:00
aspeed_sbc.c aspeed: sbc: Allow per-machine settings 2022-07-14 16:24:38 +02:00
aspeed_scu.c aspeed/scu: Add trace events for read ops 2022-06-30 09:21:13 +02:00
aspeed_sdmc.c aspeed/sdmc: Add trace events 2022-02-26 18:40:51 +01:00
aspeed_xdma.c hw/misc/aspeed_xdma: Add AST2600 support 2021-05-01 10:03:52 +02:00
auxbus.c qbus: Rename qbus_create() to qbus_new() 2021-09-30 13:44:08 +01:00
avr_power.c
bcm2835_cprman.c clock: Add ClockEvent parameter to callbacks 2021-03-08 17:20:01 +00:00
bcm2835_mbox.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
bcm2835_mphi.c
bcm2835_powermgt.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
bcm2835_property.c hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE 2024-08-02 10:19:03 +03:00
bcm2835_rng.c Mark remaining global TypeInfo instances as const 2022-02-21 13:30:20 +00:00
bcm2835_thermal.c
cbus.c Drop useless casts from g_malloc() & friends to pointer 2022-10-22 23:15:40 +02:00
debugexit.c
eccmemctl.c
edu.c
empty_slot.c
exynos4210_clk.c
exynos4210_pmu.c
exynos4210_rng.c
grlib_ahb_apb_pnp.c hw/misc/grlib_ahb_apb_pnp: Support 8 and 16 bit accesses 2022-08-08 23:43:11 +02:00
imx6_ccm.c hw/msic: imx6_ccm: Correct register value for silicon type 2021-01-08 15:13:39 +00:00
imx6_src.c Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
imx6ul_ccm.c
imx7_ccm.c imx7-ccm: add digprog mmio write method 2021-02-08 15:15:32 +01:00
imx7_gpr.c
imx7_snvs.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
imx25_ccm.c
imx31_ccm.c
imx_ccm.c hw: Do not include qemu/log.h if it is not necessary 2021-05-02 17:24:50 +02:00
imx_rngc.c hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
iotkit-secctl.c misc: fix commonly doubled up words 2022-08-01 11:58:02 +02:00
iotkit-sysctl.c misc: fix commonly doubled up words 2022-08-01 11:58:02 +02:00
iotkit-sysinfo.c hw/misc/iotkit-sysinfo.c: Implement SYS_CONFIG1 and IIDR 2021-03-08 17:20:01 +00:00
ivshmem.c Use g_unix_set_fd_nonblocking() 2022-05-03 15:17:30 +04:00
Kconfig lasi: move from hw/hppa to hw/misc 2022-05-08 18:52:37 +01:00
lasi.c lasi: move from hw/hppa to hw/misc 2022-05-08 18:52:37 +01:00
led.c misc/led: LED state is set opposite of what is expected 2023-10-31 20:39:03 +03:00
mac_via.c trivial: Fix duplicated words 2022-08-01 11:58:02 +02:00
mchp_pfsoc_dmc.c hw: Remove superfluous includes of hw/hw.h 2021-05-02 17:24:50 +02:00
mchp_pfsoc_ioscb.c hw: Remove superfluous includes of hw/hw.h 2021-05-02 17:24:50 +02:00
mchp_pfsoc_sysreg.c hw: Remove superfluous includes of hw/hw.h 2021-05-02 17:24:50 +02:00
meson.build hw/misc/aspeed: Add PECI controller 2022-06-30 09:21:14 +02:00
mips_cmgcr.c
mips_cpc.c
mips_itu.c compiler.h: replace QEMU_NORETURN with G_NORETURN 2022-04-21 17:03:51 +04:00
mos6522.c monitor: expose monitor_puts to rest of code 2022-10-06 11:53:40 +01:00
mps2-fpgaio.c hw/misc/mps2-fpgaio: Support AN547 DBGCTRL register 2021-03-08 17:20:03 +00:00
mps2-scc.c hw/misc/mps2-scc: Free MPS2SCC::oscclk[] array on finalize() 2023-12-20 19:11:10 +03:00
msf2-sysreg.c
mst_fpga.c hw/arm: Constify VMStateDescription 2021-05-02 17:24:50 +02:00
npcm7xx_clk.c hw/misc/npcm7xx_clk: Don't leak string in npcm7xx_clk_sel_init() 2022-03-18 10:55:15 +00:00
npcm7xx_gcr.c hw/*: Use type casting for SysBusDevice in NPCM7XX 2021-01-12 21:19:02 +00:00
npcm7xx_mft.c hw/misc: Add NPCM7XX MFT Module 2021-03-12 12:48:56 +00:00
npcm7xx_pwm.c hw/misc: Add GPIOs for duty in NPCM7xx PWM 2021-03-12 12:48:56 +00:00
npcm7xx_rng.c hw/*: Use type casting for SysBusDevice in NPCM7XX 2021-01-12 21:19:02 +00:00
nrf51_rng.c
omap_clk.c
omap_gpmc.c
omap_l4.c
omap_sdrc.c
omap_tap.c
pc-testdev.c
pca9552.c misc/pca9552: Fix LED status register indexing in pca955x_get_led() 2021-09-20 08:50:59 +02:00
pci-testdev.c
pvpanic-isa.c acpi: pvpanic-isa: use AcpiDevAmlIfClass:build_dev_aml to provide device's AML 2022-06-09 19:32:49 -04:00
pvpanic-pci.c hw/misc/pvpanic: Use standard headers instead 2022-03-06 05:08:23 -05:00
pvpanic.c hw/misc/pvpanic: Use standard headers instead 2022-03-06 05:08:23 -05:00
sbsa_ec.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
sga.c hw/misc: deprecate the 'sga' device 2021-11-02 17:24:18 +01:00
sifive_e_prci.c hw: Remove superfluous includes of hw/hw.h 2021-05-02 17:24:50 +02:00
sifive_test.c hw: Remove superfluous includes of hw/hw.h 2021-05-02 17:24:50 +02:00
sifive_u_otp.c block: Change blk_{pread,pwrite}() param order 2022-07-12 12:14:56 +02:00
sifive_u_prci.c
slavio_misc.c
stm32f2xx_syscfg.c
stm32f4xx_exti.c
stm32f4xx_syscfg.c
trace-events hw/misc/grlib_ahb_apb_pnp: Support 8 and 16 bit accesses 2022-08-08 23:43:11 +02:00
trace.h
tz-mpc.c
tz-msc.c
tz-ppc.c tz-ppc: add dummy read/write methods 2021-02-08 15:15:32 +01:00
unimp.c
virt_ctrl.c hw/m68k: Fix typo in SPDX tag 2021-11-09 10:11:27 +01:00
vmcoreinfo.c
xlnx-versal-crl.c hw/misc: Add a model of the Xilinx Versal CRL 2022-04-21 11:37:03 +01:00
xlnx-versal-pmc-iou-slcr.c hw/misc: Add a model of Versal's PMC SLCR 2022-01-28 14:29:46 +00:00
xlnx-versal-xramc.c hw/misc: versal: Add a model of the XRAM controller 2021-03-12 12:40:09 +00:00
xlnx-zynqmp-apu-ctrl.c hw/misc: Add a model of the Xilinx ZynqMP APU Control 2022-03-18 11:31:20 +00:00
xlnx-zynqmp-crf.c hw/misc: Add a model of the Xilinx ZynqMP CRF 2022-03-18 11:31:20 +00:00
zynq_slcr.c hw/misc: zynq_slcr: Correctly compute output clocks in the reset exit phase 2021-09-13 16:07:20 +01:00