Commit 992e01e838 for qemu.org

commit 992e01e838733c8063f8a17e92034c5f35e34963
Author: BALATON Zoltan <balaton@eik.bme.hu>
Date:   Mon Apr 6 03:20:31 2026 +0200

    ati-vga: Do not crash on 24 bits per pixel

    The stn_he_p function only supports power of two sizes so it will
    assert if we call it with size 3 that happens with 24 bits per pixel.
    It's not clear from the documentation if this should be supported or
    not and drivers tested so far don't use it so refuse the parameters
    that would crash QEMU for now.

    Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
    Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
    Message-ID: <20260406012031.335A0596A24@zero.eik.bme.hu>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
index 9baf6ff37b..f0f77cecc6 100644
--- a/hw/display/ati_2d.c
+++ b/hw/display/ati_2d.c
@@ -265,6 +265,10 @@ static bool ati_2d_do_blt(ATI2DCtx *ctx, uint8_t use_pixman)
     {
         uint32_t filler = 0;

+        if (ctx->bpp == 24) {
+            qemu_log_mask(LOG_UNIMP, "Fill blt unsupported in 24 bits\n");
+            return false;
+        }
         switch (ctx->rop3) {
         case ROP3_PATCOPY:
             filler = make_filler(ctx->bpp, ctx->frgd_clr);
@@ -362,6 +366,11 @@ bool ati_host_data_flush(ATIVGAState *s)

     setup_2d_blt_ctx(s, &ctx);

+    if (ctx.bpp == 24) {
+        qemu_log_mask(LOG_UNIMP,
+                      "host_data_blt: unsupported in 24 bits mode\n");
+        return false;
+    }
     if (!ctx.left_to_right || !ctx.top_to_bottom) {
         qemu_log_mask(LOG_UNIMP,
                       "host_data_blt: unsupported blit direction %c%c\n",