From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:45645)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QYPB7-0002p6-76
	for qemu-devel@nongnu.org; Sun, 19 Jun 2011 17:05:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QYPB5-0008Ah-Qt
	for qemu-devel@nongnu.org; Sun, 19 Jun 2011 17:05:08 -0400
Received: from mail-qw0-f45.google.com ([209.85.216.45]:43697)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <blauwirbel@gmail.com>) id 1QYPB5-00085I-BO
	for qemu-devel@nongnu.org; Sun, 19 Jun 2011 17:05:07 -0400
Received: by mail-qw0-f45.google.com with SMTP id 8so441368qwj.4
	for <qemu-devel@nongnu.org>; Sun, 19 Jun 2011 14:05:07 -0700 (PDT)
MIME-Version: 1.0
From: Blue Swirl <blauwirbel@gmail.com>
Date: Mon, 20 Jun 2011 00:04:47 +0300
Message-ID: <BANLkTi=Yk-x75GssEDGN2V3OjDRxXbW-3g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: [Qemu-devel] [PATCH 02/18] TCG: fix negative frame offset
	calculations
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel <qemu-devel@nongnu.org>

size_t is unsigned, so the frame offset calculations can be incorrect for
negative offsets.

Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
---
 tcg/tcg.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/tcg/tcg.c b/tcg/tcg.c
index debf47f..d8bf721 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -1439,13 +1439,17 @@ static void temp_allocate_frame(TCGContext *s, int temp)
 {
     TCGTemp *ts;
     ts = &s->temps[temp];
-    s->current_frame_offset = (s->current_frame_offset +
sizeof(tcg_target_long) - 1) & ~(sizeof(tcg_target_long) - 1);
-    if (s->current_frame_offset + sizeof(tcg_target_long) > s->frame_end)
+    s->current_frame_offset = (s->current_frame_offset +
+                               (tcg_target_long)sizeof(tcg_target_long) - 1) &
+        ~(sizeof(tcg_target_long) - 1);
+    if (s->current_frame_offset + (tcg_target_long)sizeof(tcg_target_long) >
+        s->frame_end) {
         tcg_abort();
+    }
     ts->mem_offset = s->current_frame_offset;
     ts->mem_reg = s->frame_reg;
     ts->mem_allocated = 1;
-    s->current_frame_offset += sizeof(tcg_target_long);
+    s->current_frame_offset += (tcg_target_long)sizeof(tcg_target_long);
 }

 /* free register 'reg' by spilling the corresponding temporary if necessary */
-- 
1.6.2.4