Commit 6af42f7c50 for qemu.org

commit 6af42f7c50cb4356d0e9462c7c126911bc59e062
Author: BALATON Zoltan <balaton@eik.bme.hu>
Date:   Mon Mar 30 23:09:17 2026 +0200

    ati-vga: Add upper limit to x-linear-aper-size property

    Coverity warns in CID 1645968 about possible integer overflow. This
    should never happen but to ensure that, add an upper limit on the
    x-linear-aper-size. This may not silence the warning but makes sure
    users cannot cause an overflow.

    Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
    Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Message-ID: <541ffffdaa4c67b9dcbca6c2498e69b137bce95d.1774904832.git.balaton@eik.bme.hu>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/display/ati.c b/hw/display/ati.c
index fc19737d1f..97d871b1e2 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -1130,6 +1130,10 @@ static void ati_vga_realize(PCIDevice *dev, Error **errp)
             s->linear_aper_sz = ATI_R100_LINEAR_APER_SIZE;
         }
     }
+    if (s->linear_aper_sz > 256 * MiB) {
+        error_setg(errp, "x-linear-aper-size is too large (maximum 256 MiB)");
+        return;
+    }
     if (s->linear_aper_sz < 16 * MiB) {
         error_setg(errp, "x-linear-aper-size is too small (minimum 16 MiB)");
         return;