Commit 0990cc8b28 for qemu.org

commit 0990cc8b286b9981b2548c3d591584d22c7bf2f1
Author: Junjie Cao <junjie.cao@intel.com>
Date:   Tue Apr 14 22:14:58 2026 +0800

    ati-vga: fix unsigned integer overflow in cursor bounds checks

    The cursor bounds checks compare (srcoff + N) against vram_size, but
    both sides are uint32_t so the addition can wrap past UINT32_MAX when
    srcoff underflows from the cur_hv_offs subtraction, causing the check
    to be bypassed.

    Rewrite the checks as (srcoff > vram_size - N) to avoid the
    overflow-prone addition, matching the style already used in
    ati_mm_read() and ati_mm_write().

    Cc: qemu-stable@nongnu.org
    Fixes: 2f1fbe6ee9b5 ("ati-vga: Make sure hardware cursor data is within vram")
    Signed-off-by: Junjie Cao <junjie.cao@intel.com>
    Message-ID: <20260414141458.1076014-1-junjie.cao@intel.com>
    Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 88a5bbbf07..0489995d00 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -149,7 +149,7 @@ static void ati_cursor_define(ATIVGAState *s)
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
              (s->regs.cur_hv_offs & 0xffff) * 16;
-    if (srcoff + 64 * 16 > s->vga.vram_size) {
+    if (srcoff > s->vga.vram_size - 64 * 16) {
         return;
     }
     for (int i = 0; i < 64; i++, srcoff += 16) {
@@ -206,7 +206,7 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
     }
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
-    if (srcoff + 16 > s->vga.vram_size) {
+    if (srcoff > s->vga.vram_size - 16) {
         return;
     }
     dp = &dp[vga->hw_cursor_x];