[Qemu-devel] [PATCH v3 0/2] ati: fix ati_cursor_define bug.

[Qemu-devel] [PATCH v3 0/2] ati: fix ati_cursor_define bug.

[Gerd Hoffmann]

Gerd Hoffmann (2):
  vga: move access helpers to separate include file
  ati: use vga_read_byte in ati_cursor_define

 hw/display/vga-access.h  | 49 ++++++++++++++++++++++++++++++++++++++++
 hw/display/vga-helpers.h | 26 ---------------------
 hw/display/ati.c         | 19 ++++++++--------
 hw/display/vga.c         |  1 +
 4 files changed, 60 insertions(+), 35 deletions(-)
 create mode 100644 hw/display/vga-access.h

-- 
2.18.1

[Qemu-devel] [PATCH v3 1/2] vga: move access helpers to separate include file

[Gerd Hoffmann]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/vga-access.h  | 49 ++++++++++++++++++++++++++++++++++++++++
 hw/display/vga-helpers.h | 26 ---------------------
 hw/display/vga.c         |  1 +
 3 files changed, 50 insertions(+), 26 deletions(-)
 create mode 100644 hw/display/vga-access.h

diff --git a/hw/display/vga-access.h b/hw/display/vga-access.h
new file mode 100644
index 000000000000..c0fbd9958b2e
--- /dev/null
+++ b/hw/display/vga-access.h
@@ -0,0 +1,49 @@
+/*
+ * QEMU VGA Emulator templates
+ *
+ * Copyright (c) 2003 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
+{
+    return vga->vram_ptr[addr & vga->vbe_size_mask];
+}
+
+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+    return lduw_le_p(ptr);
+}
+
+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~1;
+    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+    return lduw_be_p(ptr);
+}
+
+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
+{
+    uint32_t offset = addr & vga->vbe_size_mask & ~3;
+    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
+    return ldl_le_p(ptr);
+}
diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
index 5a752b3f9efd..10e9cfd40a04 100644
--- a/hw/display/vga-helpers.h
+++ b/hw/display/vga-helpers.h
@@ -95,32 +95,6 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
     } while (--h);
 }
 
-static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
-{
-    return vga->vram_ptr[addr & vga->vbe_size_mask];
-}
-
-static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
-{
-    uint32_t offset = addr & vga->vbe_size_mask & ~1;
-    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
-    return lduw_le_p(ptr);
-}
-
-static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
-{
-    uint32_t offset = addr & vga->vbe_size_mask & ~1;
-    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
-    return lduw_be_p(ptr);
-}
-
-static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
-{
-    uint32_t offset = addr & vga->vbe_size_mask & ~3;
-    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
-    return ldl_le_p(ptr);
-}
-
 /*
  * 4 color mode
  */
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 573d223d46f0..82ebe5361096 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1009,6 +1009,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
                                 uint32_t srcaddr, int width);
 
+#include "vga-access.h"
 #include "vga-helpers.h"
 
 /* return true if the palette was modified */
-- 
2.18.1

[Qemu-devel] [PATCH v3 2/2] ati: use vga_read_byte in ati_cursor_define

[Gerd Hoffmann]

This makes sure reads are confined to vga video memory.

v3: use uint32_t, fix cut+paste bug.
v2: fix ati_cursor_draw_line too.

Reported-by: xu hang <flier_m@outlook.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/ati.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/hw/display/ati.c b/hw/display/ati.c
index 8f940eee221a..db3b2543163f 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -19,6 +19,7 @@
 #include "qemu/osdep.h"
 #include "ati_int.h"
 #include "ati_regs.h"
+#include "vga-access.h"
 #include "hw/qdev-properties.h"
 #include "vga_regs.h"
 #include "qemu/log.h"
@@ -135,19 +136,19 @@ static void ati_vga_switch_mode(ATIVGAState *s)
 static void ati_cursor_define(ATIVGAState *s)
 {
     uint8_t data[1024];
-    uint8_t *src;
+    uint32_t srcoff;
     int i, j, idx = 0;
 
     if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) {
         return; /* Do not update cursor if locked or rendered by guest */
     }
     /* FIXME handle cur_hv_offs correctly */
-    src = s->vga.vram_ptr + s->regs.cur_offset -
-          (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
+    srcoff = s->regs.cur_offset -
+        (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
     for (i = 0; i < 64; i++) {
         for (j = 0; j < 8; j++, idx++) {
-            data[idx] = src[i * 16 + j];
-            data[512 + idx] = src[i * 16 + j + 8];
+            data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j);
+            data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8);
         }
     }
     if (!s->cursor) {
@@ -189,7 +190,7 @@ static void ati_cursor_invalidate(VGACommonState *vga)
 static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
 {
     ATIVGAState *s = container_of(vga, ATIVGAState, vga);
-    uint8_t *src;
+    uint32_t srcoff;
     uint32_t *dp = (uint32_t *)d;
     int i, j, h;
 
@@ -199,13 +200,13 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
         return;
     }
     /* FIXME handle cur_hv_offs correctly */
-    src = s->vga.vram_ptr + s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
+    srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
     dp = &dp[vga->hw_cursor_x];
     h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
     for (i = 0; i < 8; i++) {
         uint32_t color;
-        uint8_t abits = src[i];
-        uint8_t xbits = src[i + 8];
+        uint8_t abits = vga_read_byte(vga, srcoff + i);
+        uint8_t xbits = vga_read_byte(vga, srcoff + i + 8);
         for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1) {
             if (abits & BIT(7)) {
                 if (xbits & BIT(7)) {
-- 
2.18.1

Re: [Qemu-devel] [PATCH v3 2/2] ati: use vga_read_byte in ati_cursor_define

[BALATON Zoltan]

On Tue, 17 Sep 2019, Gerd Hoffmann wrote:
> This makes sure reads are confined to vga video memory.
>
> v3: use uint32_t, fix cut+paste bug.
> v2: fix ati_cursor_draw_line too.
>
> Reported-by: xu hang <flier_m@outlook.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>

Thank you,
BALATON Zoltan

> ---
> hw/display/ati.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 8f940eee221a..db3b2543163f 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -19,6 +19,7 @@
> #include "qemu/osdep.h"
> #include "ati_int.h"
> #include "ati_regs.h"
> +#include "vga-access.h"
> #include "hw/qdev-properties.h"
> #include "vga_regs.h"
> #include "qemu/log.h"
> @@ -135,19 +136,19 @@ static void ati_vga_switch_mode(ATIVGAState *s)
> static void ati_cursor_define(ATIVGAState *s)
> {
>     uint8_t data[1024];
> -    uint8_t *src;
> +    uint32_t srcoff;
>     int i, j, idx = 0;
>
>     if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) {
>         return; /* Do not update cursor if locked or rendered by guest */
>     }
>     /* FIXME handle cur_hv_offs correctly */
> -    src = s->vga.vram_ptr + s->regs.cur_offset -
> -          (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
> +    srcoff = s->regs.cur_offset -
> +        (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
>     for (i = 0; i < 64; i++) {
>         for (j = 0; j < 8; j++, idx++) {
> -            data[idx] = src[i * 16 + j];
> -            data[512 + idx] = src[i * 16 + j + 8];
> +            data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j);
> +            data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8);
>         }
>     }
>     if (!s->cursor) {
> @@ -189,7 +190,7 @@ static void ati_cursor_invalidate(VGACommonState *vga)
> static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
> {
>     ATIVGAState *s = container_of(vga, ATIVGAState, vga);
> -    uint8_t *src;
> +    uint32_t srcoff;
>     uint32_t *dp = (uint32_t *)d;
>     int i, j, h;
>
> @@ -199,13 +200,13 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
>         return;
>     }
>     /* FIXME handle cur_hv_offs correctly */
> -    src = s->vga.vram_ptr + s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
> +    srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
>     dp = &dp[vga->hw_cursor_x];
>     h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
>     for (i = 0; i < 8; i++) {
>         uint32_t color;
> -        uint8_t abits = src[i];
> -        uint8_t xbits = src[i + 8];
> +        uint8_t abits = vga_read_byte(vga, srcoff + i);
> +        uint8_t xbits = vga_read_byte(vga, srcoff + i + 8);
>         for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1) {
>             if (abits & BIT(7)) {
>                 if (xbits & BIT(7)) {
>

Re: [Qemu-devel] [PATCH v3 0/2] ati: fix ati_cursor_define bug.

[no-reply]

Patchew URL: https://patchew.org/QEMU/20190917111441.27405-1-kraxel@redhat.com/



Hi,

This series failed the asan build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-fedora V=1 NETWORK=1
time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1
=== TEST SCRIPT END ===

./tests/docker/docker.py --engine auto build qemu:fedora tests/docker/dockerfiles/fedora.docker   --add-current-user  
Image is up to date.
  LD      docker-test-debug@fedora.mo
cc: fatal error: no input files
compilation terminated.
make: *** [docker-test-debug@fedora.mo] Error 4



The full log is available at
http://patchew.org/logs/20190917111441.27405-1-kraxel@redhat.com/testing.asan/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com

Re: [Qemu-devel] [PATCH v3 0/2] ati: fix ati_cursor_define bug.

[no-reply]

Patchew URL: https://patchew.org/QEMU/20190917111441.27405-1-kraxel@redhat.com/



Hi,

This series failed the docker-mingw@fedora build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#! /bin/bash
make docker-image-fedora V=1 NETWORK=1
time make docker-test-mingw@fedora J=14 NETWORK=1
=== TEST SCRIPT END ===

./tests/docker/docker.py --engine auto build qemu:fedora tests/docker/dockerfiles/fedora.docker   --add-current-user  
Image is up to date.
  LD      docker-test-mingw@fedora.mo
cc: fatal error: no input files
compilation terminated.
make: *** [docker-test-mingw@fedora.mo] Error 4



The full log is available at
http://patchew.org/logs/20190917111441.27405-1-kraxel@redhat.com/testing.docker-mingw@fedora/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com

Re: [Qemu-devel] [PATCH v3 1/2] vga: move access helpers to separate include file

[Philippe Mathieu-Daudé]

On 9/17/19 1:14 PM, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/vga-access.h  | 49 ++++++++++++++++++++++++++++++++++++++++
>  hw/display/vga-helpers.h | 26 ---------------------
>  hw/display/vga.c         |  1 +
>  3 files changed, 50 insertions(+), 26 deletions(-)
>  create mode 100644 hw/display/vga-access.h
> 
> diff --git a/hw/display/vga-access.h b/hw/display/vga-access.h
> new file mode 100644
> index 000000000000..c0fbd9958b2e
> --- /dev/null
> +++ b/hw/display/vga-access.h
> @@ -0,0 +1,49 @@
> +/*
> + * QEMU VGA Emulator templates
> + *
> + * Copyright (c) 2003 Fabrice Bellard
> + *
> + * Permission is hereby granted, free of charge, to any person obtaining a copy
> + * of this software and associated documentation files (the "Software"), to deal
> + * in the Software without restriction, including without limitation the rights
> + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + * copies of the Software, and to permit persons to whom the Software is
> + * furnished to do so, subject to the following conditions:
> + *
> + * The above copyright notice and this permission notice shall be included in
> + * all copies or substantial portions of the Software.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> + * THE SOFTWARE.
> + */
> +
> +static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
> +{
> +    return vga->vram_ptr[addr & vga->vbe_size_mask];
> +}
> +
> +static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
> +{
> +    uint32_t offset = addr & vga->vbe_size_mask & ~1;
> +    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
> +    return lduw_le_p(ptr);
> +}
> +
> +static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
> +{
> +    uint32_t offset = addr & vga->vbe_size_mask & ~1;
> +    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
> +    return lduw_be_p(ptr);
> +}
> +
> +static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
> +{
> +    uint32_t offset = addr & vga->vbe_size_mask & ~3;
> +    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
> +    return ldl_le_p(ptr);
> +}
> diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
> index 5a752b3f9efd..10e9cfd40a04 100644
> --- a/hw/display/vga-helpers.h
> +++ b/hw/display/vga-helpers.h
> @@ -95,32 +95,6 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
>      } while (--h);
>  }
>  
> -static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
> -{
> -    return vga->vram_ptr[addr & vga->vbe_size_mask];
> -}
> -
> -static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
> -{
> -    uint32_t offset = addr & vga->vbe_size_mask & ~1;
> -    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
> -    return lduw_le_p(ptr);
> -}
> -
> -static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
> -{
> -    uint32_t offset = addr & vga->vbe_size_mask & ~1;
> -    uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
> -    return lduw_be_p(ptr);
> -}
> -
> -static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
> -{
> -    uint32_t offset = addr & vga->vbe_size_mask & ~3;
> -    uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
> -    return ldl_le_p(ptr);
> -}
> -
>  /*
>   * 4 color mode
>   */
> diff --git a/hw/display/vga.c b/hw/display/vga.c
> index 573d223d46f0..82ebe5361096 100644
> --- a/hw/display/vga.c
> +++ b/hw/display/vga.c
> @@ -1009,6 +1009,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
>  typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
>                                  uint32_t srcaddr, int width);
>  
> +#include "vga-access.h"
>  #include "vga-helpers.h"
>  
>  /* return true if the palette was modified */
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Re: [Qemu-devel] [PATCH v3 2/2] ati: use vga_read_byte in ati_cursor_define

[Philippe Mathieu-Daudé]

On 9/17/19 1:14 PM, Gerd Hoffmann wrote:
> This makes sure reads are confined to vga video memory.
> 
> v3: use uint32_t, fix cut+paste bug.
> v2: fix ati_cursor_draw_line too.
> 
> Reported-by: xu hang <flier_m@outlook.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/ati.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/hw/display/ati.c b/hw/display/ati.c
> index 8f940eee221a..db3b2543163f 100644
> --- a/hw/display/ati.c
> +++ b/hw/display/ati.c
> @@ -19,6 +19,7 @@
>  #include "qemu/osdep.h"
>  #include "ati_int.h"
>  #include "ati_regs.h"
> +#include "vga-access.h"
>  #include "hw/qdev-properties.h"
>  #include "vga_regs.h"
>  #include "qemu/log.h"
> @@ -135,19 +136,19 @@ static void ati_vga_switch_mode(ATIVGAState *s)
>  static void ati_cursor_define(ATIVGAState *s)
>  {
>      uint8_t data[1024];
> -    uint8_t *src;
> +    uint32_t srcoff;
>      int i, j, idx = 0;
>  
>      if ((s->regs.cur_offset & BIT(31)) || s->cursor_guest_mode) {
>          return; /* Do not update cursor if locked or rendered by guest */
>      }
>      /* FIXME handle cur_hv_offs correctly */
> -    src = s->vga.vram_ptr + s->regs.cur_offset -
> -          (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
> +    srcoff = s->regs.cur_offset -
> +        (s->regs.cur_hv_offs >> 16) - (s->regs.cur_hv_offs & 0xffff) * 16;
>      for (i = 0; i < 64; i++) {
>          for (j = 0; j < 8; j++, idx++) {
> -            data[idx] = src[i * 16 + j];
> -            data[512 + idx] = src[i * 16 + j + 8];
> +            data[idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j);
> +            data[512 + idx] = vga_read_byte(&s->vga, srcoff + i * 16 + j + 8);
>          }
>      }
>      if (!s->cursor) {
> @@ -189,7 +190,7 @@ static void ati_cursor_invalidate(VGACommonState *vga)
>  static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
>  {
>      ATIVGAState *s = container_of(vga, ATIVGAState, vga);
> -    uint8_t *src;
> +    uint32_t srcoff;
>      uint32_t *dp = (uint32_t *)d;
>      int i, j, h;
>  
> @@ -199,13 +200,13 @@ static void ati_cursor_draw_line(VGACommonState *vga, uint8_t *d, int scr_y)
>          return;
>      }
>      /* FIXME handle cur_hv_offs correctly */
> -    src = s->vga.vram_ptr + s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
> +    srcoff = s->cursor_offset + (scr_y - vga->hw_cursor_y) * 16;
>      dp = &dp[vga->hw_cursor_x];
>      h = ((s->regs.crtc_h_total_disp >> 16) + 1) * 8;
>      for (i = 0; i < 8; i++) {
>          uint32_t color;
> -        uint8_t abits = src[i];
> -        uint8_t xbits = src[i + 8];
> +        uint8_t abits = vga_read_byte(vga, srcoff + i);
> +        uint8_t xbits = vga_read_byte(vga, srcoff + i + 8);
>          for (j = 0; j < 8; j++, abits <<= 1, xbits <<= 1) {
>              if (abits & BIT(7)) {
>                  if (xbits & BIT(7)) {
> 

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>