From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LjGz2-0001Ll-HW
	for qemu-devel@nongnu.org; Mon, 16 Mar 2009 13:52:16 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LjGyy-0001Jl-R2
	for qemu-devel@nongnu.org; Mon, 16 Mar 2009 13:52:16 -0400
Received: from [199.232.76.173] (port=46590 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LjGyy-0001JU-Cy
	for qemu-devel@nongnu.org; Mon, 16 Mar 2009 13:52:12 -0400
Received: from lizzard.sbs.de ([194.138.37.39]:17483)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <jan.kiszka@siemens.com>) id 1LjGyx-00030b-QB
	for qemu-devel@nongnu.org; Mon, 16 Mar 2009 13:52:12 -0400
Received: from mail1.sbs.de (localhost [127.0.0.1])
	by lizzard.sbs.de (8.12.11.20060308/8.12.11) with ESMTP id
	n2GHq7bi022165
	for <qemu-devel@nongnu.org>; Mon, 16 Mar 2009 18:52:08 +0100
Received: from [139.25.109.167] (mchn012c.mchp.siemens.de [139.25.109.167]
	(may be forged))
	by mail1.sbs.de (8.12.11.20060308/8.12.11) with ESMTP id n2GHq78f030478
	for <qemu-devel@nongnu.org>; Mon, 16 Mar 2009 18:52:07 +0100
Message-ID: <49BE91C7.402@siemens.com>
Date: Mon, 16 Mar 2009 18:52:07 +0100
From: Jan Kiszka <jan.kiszka@siemens.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] [PATCH] x86: Add NULL check to lsl
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel <qemu-devel@nongnu.org>

According to the Intel specs, lsl performs a check against NULL for the
provided selector, just like lar does. helper_lar() includes the
corresponding code, helper_lsl() was lacking it so far.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 target-i386/op_helper.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/target-i386/op_helper.c b/target-i386/op_helper.c
index 25e079b..be09263 100644
--- a/target-i386/op_helper.c
+++ b/target-i386/op_helper.c
@@ -3241,6 +3241,8 @@ target_ulong helper_lsl(target_ulong selector1)
 
     selector = selector1 & 0xffff;
     eflags = helper_cc_compute_all(CC_OP);
+    if ((selector & 0xfffc) == 0)
+        goto fail;
     if (load_segment(&e1, &e2, selector) != 0)
         goto fail;
     rpl = selector & 3;