File 0356-sm501-Fix-support-for-non-zero-fram.patch of Package qemu.19799

From: BALATON Zoltan <balaton@eik.bme.hu>
Date: Wed, 4 Jul 2018 11:40:58 +0200
Subject: sm501: Fix support for non-zero frame buffer start address

Git-commit: 33159dd7ce2ccd14ab31062d80632297e04e46cf
References: bsc#1172385, CVE-2020-12829

Display updates and drawing hardware cursor did not work when frame
buffer address was non-zero. Fix this by taking the frame buffer
address into account in these cases. This fixes screen dragging on
AmigaOS. Based on patch by Sebastian Bauer.

Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/display/sm501.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index 25246a3e903377b2b723c1774987..0fd0cfc05612bbbbb1910d336055 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -570,6 +570,11 @@ static inline int get_bpp(SM501State *s, int crt)
     return 1 << (bpp & 3);
 }
 
+static ram_addr_t get_fb_addr(SM501State *s, int crt)
+{
+    return (crt ? s->dc_crt_fb_addr : s->dc_panel_fb_addr) & 0x3FFFFF0;
+}
+
 /**
  * Check the availability of hardware cursor.
  * @param crt  0 for PANEL, 1 for CRT.
@@ -1046,6 +1051,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
         break;
     case SM501_DC_PANEL_FB_ADDR:
 	s->dc_panel_fb_addr = value & 0x8FFFFFF0;
+        if (value & 0x8000000) {
+            qemu_log_mask(LOG_UNIMP, "Panel external memory not supported\n");
+        }
 	break;
     case SM501_DC_PANEL_FB_OFFSET:
 	s->dc_panel_fb_offset = value & 0x3FF03FF0;
@@ -1102,6 +1110,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
 	break;
     case SM501_DC_CRT_FB_ADDR:
 	s->dc_crt_fb_addr = value & 0x8FFFFFF0;
+        if (value & 0x8000000) {
+            qemu_log_mask(LOG_UNIMP, "CRT external memory not supported\n");
+        }
 	break;
     case SM501_DC_CRT_FB_OFFSET:
 	s->dc_crt_fb_offset = value & 0x3FF03FF0;
@@ -1410,7 +1421,8 @@ static void sm501_update_display(void *opaque)
 
     /* draw each line according to conditions */
     memory_region_sync_dirty_bitmap(&s->local_mem_region);
-    for (y = 0, offset = 0; y < height; y++, offset += width * src_bpp) {
+    offset = get_fb_addr(s, crt);
+    for (y = 0; y < height; y++, offset += width * src_bpp) {
         int update, update_hwc;
         ram_addr_t page0 = offset;
         ram_addr_t page1 = offset + width * src_bpp - 1;