File 0201-sm501-Adjust-endianness-of-pixel-va.patch of Package qemu.19805

From: Marcus Comstedt <marcus@mc.pp.se>
Date: Wed, 19 Sep 2018 14:31:14 +0200
Subject: sm501: Adjust endianness of pixel value in rectangle fill

Git-commit: f3a60058c97f2f923e3883a8b129c7c8dfe46a3a
References: bsc#1172385, CVE-2020-12829

The value from twoD_foreground (which is in host endian format) must
be converted to the endianness of the framebuffer (currently always
little endian) before it can be used to perform the fill operation.

Signed-off-by: Marcus Comstedt <marcus@mc.pp.se>
Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/display/sm501.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/display/sm501.c b/hw/display/sm501.c
index acce7c3dc2823220b82c07cf8882..73857fe128bcb095e7be8c448f06 100644
--- a/hw/display/sm501.c
+++ b/hw/display/sm501.c
@@ -37,6 +37,7 @@
 #include "qemu/range.h"
 #include "ui/pixel_ops.h"
 #include "exec/address-spaces.h"
+#include "qemu/bswap.h"
 
 /*
  * Status: 2010/05/07
@@ -794,9 +795,11 @@ static void sm501_2d_operation(SM501State *s)
             FILL_RECT(1, uint8_t);
             break;
         case 1:
+            color = cpu_to_le16(color);
             FILL_RECT(2, uint16_t);
             break;
         case 2:
+            color = cpu_to_le32(color);
             FILL_RECT(4, uint32_t);
             break;
         }