Commit 2f1fbe6ee9 for qemu.org

commit 2f1fbe6ee9b5bcae279f9260f0ac436022119a94
Author: BALATON Zoltan <balaton@eik.bme.hu>
Date:   Sat Mar 21 17:30:19 2026 +0100

    ati-vga: Make sure hardware cursor data is within vram

    Add check to make sure we don't read past the end of vram when getting
    mouse pointer image.

    Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
    Message-ID: <2ecf42bdeb96a4206b27dc39b3ff13cc8a6190d0.1774110169.git.balaton@eik.bme.hu>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/display/ati.c b/hw/display/ati.c
index c054c9aa7a..fc19737d1f 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -150,6 +150,9 @@ static void ati_cursor_define(ATIVGAState *s)
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->regs.cur_offset - (s->regs.cur_hv_offs >> 16) -
              (s->regs.cur_hv_offs & 0xffff) * 16;
+    if (srcoff + 64 * 16 > s->vga.vram_size) {
+        return;
+    }
     for (int i = 0; i < 64; i++, srcoff += 16) {
         data[i] = ldq_le_p(&s->vga.vram_ptr[srcoff]);
         data[i + 64] = ldq_le_p(&s->vga.vram_ptr[srcoff + 8]);
@@ -204,6 +207,9 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
     }
     /* FIXME handle cur_hv_offs correctly */
     srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
+    if (srcoff + 16 > s->vga.vram_size) {
+        return;
+    }
     dp = &dp[vga->hw_cursor_x];
     h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
     abits = ldq_be_p(&vga->vram_ptr[srcoff]);