Commit 579be921f5 for qemu.org

commit 579be921f509fb9d2deccc4233496e36b221abb3
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Fri Nov 7 14:39:13 2025 +0000

    hw/display/exynos4210_fimd: Account for zero length in fimd_update_memory_section()

    In fimd_update_memory_section() we attempt ot find and map part of
    the RAM MR which backs the framebuffer, based on guest-configurable
    size and start address.

    If the guest configures framebuffer settings which result in a
    zero-sized framebuffer, we hit an assertion(), because
    memory_region_find() will return a NULL mem_section.mr.

    Explicitly check for the zero-size case and treat this as a
    guest error.

    Because we now have a code path which can reach error_return without
    calling memory_region_find to set w->mem_section, we must NULL out
    w->mem_section.mr after the unref of the old MR, so that error_return
    does not incorrectly double-unref the old MR.

    Cc: qemu-stable@nongnu.org
    Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1407
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Message-id: 20251107143913.1341358-1-peter.maydell@linaro.org

diff --git a/hw/display/exynos4210_fimd.c b/hw/display/exynos4210_fimd.c
index 6b1eb43987..49c180fec0 100644
--- a/hw/display/exynos4210_fimd.c
+++ b/hw/display/exynos4210_fimd.c
@@ -1146,6 +1146,13 @@ static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win)
     if (w->mem_section.mr) {
         memory_region_set_log(w->mem_section.mr, false, DIRTY_MEMORY_VGA);
         memory_region_unref(w->mem_section.mr);
+        w->mem_section.mr = NULL;
+    }
+
+    if (w->fb_len == 0) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "FIMD: Guest config means framebuffer is zero length\n");
+        goto error_return;
     }

     w->mem_section = memory_region_find(s->fbmem, fb_start_addr, w->fb_len);