Commit 2a886bda47 for qemu.org

commit 2a886bda476531566c673d93f28184bbf7bfd890
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date:   Wed Mar 11 01:26:54 2026 +0400

    virtio-gpu: use computed rowstride instead of deriving it from hostmem

    Since calc_image_hostmem() already computes the stride, return it and
    use it directly. This is both simpler and more correct.

    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
    Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
    Message-Id: <20260311-cve-v1-2-f72b4c7c1ab2@redhat.com>

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 468ea6ab0f..b998ce8324 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -229,7 +229,7 @@ void virtio_gpu_get_edid(VirtIOGPU *g,

 static bool calc_image_hostmem(pixman_format_code_t pformat,
                                uint32_t width, uint32_t height,
-                               uint32_t *hostmem)
+                               uint32_t *hostmem, uint32_t *rowstride_bytes)
 {
     uint64_t bpp = PIXMAN_FORMAT_BPP(pformat);
     uint64_t stride = (((uint64_t)width * bpp + 0x1f) >> 5) * sizeof(uint32_t);
@@ -240,6 +240,7 @@ static bool calc_image_hostmem(pixman_format_code_t pformat,
     }

     *hostmem = size;
+    *rowstride_bytes = stride;
     return true;
 }

@@ -250,7 +251,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
     pixman_format_code_t pformat;
     struct virtio_gpu_simple_resource *res;
     struct virtio_gpu_resource_create_2d c2d;
-    uint32_t hostmem;
+    uint32_t hostmem, rowstride_bytes;

     VIRTIO_GPU_FILL_CMD(c2d);
     virtio_gpu_bswap_32(&c2d, sizeof(c2d));
@@ -289,7 +290,8 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
         return;
     }

-    if (!calc_image_hostmem(pformat, c2d.width, c2d.height, &hostmem)) {
+    if (!calc_image_hostmem(pformat, c2d.width, c2d.height,
+                            &hostmem, &rowstride_bytes)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: image dimensions overflow\n",
                       __func__);
         goto end;
@@ -303,7 +305,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
                 pformat,
                 c2d.width,
                 c2d.height,
-                c2d.height ? res->hostmem / c2d.height : 0,
+                rowstride_bytes,
                 &err)) {
             warn_report_err(err);
             goto end;
@@ -1302,7 +1304,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
     VirtIOGPU *g = opaque;
     Error *err = NULL;
     struct virtio_gpu_simple_resource *res;
-    uint32_t resource_id, pformat, hostmem;
+    uint32_t resource_id, pformat, hostmem, rowstride_bytes;
     int i, ret;

     g->hostmem = 0;
@@ -1328,7 +1330,8 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
             return -EINVAL;
         }

-        if (!calc_image_hostmem(pformat, res->width, res->height, &hostmem)) {
+        if (!calc_image_hostmem(pformat, res->width, res->height,
+                                &hostmem, &rowstride_bytes)) {
             g_free(res);
             return -EINVAL;
         }
@@ -1339,7 +1342,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
                                              pformat,
                                              res->width,
                                              res->height,
-                                             res->height ? res->hostmem / res->height : 0,
+                                             rowstride_bytes,
                                              &err)) {
             warn_report_err(err);
             g_free(res);