From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:41282) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QLKfd-0004dB-Ev for qemu-devel@nongnu.org; Sat, 14 May 2011 15:38:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QLKfc-0002i9-Ij for qemu-devel@nongnu.org; Sat, 14 May 2011 15:38:37 -0400 Received: from mail-qw0-f45.google.com ([209.85.216.45]:51048) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QLKfc-0002hz-Dm for qemu-devel@nongnu.org; Sat, 14 May 2011 15:38:36 -0400 Received: by qwj8 with SMTP id 8so2053085qwj.4 for ; Sat, 14 May 2011 12:38:36 -0700 (PDT) MIME-Version: 1.0 From: Blue Swirl Date: Sat, 14 May 2011 22:38:16 +0300 Message-ID: Content-Type: multipart/mixed; boundary=20cf303b40457f423d04a3419154 Subject: [Qemu-devel] [PATCH 05/11] TCG: fix negative frame offset calculations List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel --20cf303b40457f423d04a3419154 Content-Type: text/plain; charset=UTF-8 size_t is unsigned, so the frame offset calculations can be incorrect for negative offsets. Signed-off-by: Blue Swirl --- tcg/tcg.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tcg/tcg.c b/tcg/tcg.c index 8748c05..75972c3 100644 --- a/tcg/tcg.c +++ b/tcg/tcg.c @@ -1434,13 +1434,17 @@ static void temp_allocate_frame(TCGContext *s, int temp) { TCGTemp *ts; ts = &s->temps[temp]; - s->current_frame_offset = (s->current_frame_offset + sizeof(tcg_target_long) - 1) & ~(sizeof(tcg_target_long) - 1); - if (s->current_frame_offset + sizeof(tcg_target_long) > s->frame_end) + s->current_frame_offset = (s->current_frame_offset + + (tcg_target_long)sizeof(tcg_target_long) - 1) & + ~(sizeof(tcg_target_long) - 1); + if (s->current_frame_offset + (tcg_target_long)sizeof(tcg_target_long) > + s->frame_end) { tcg_abort(); + } ts->mem_offset = s->current_frame_offset; ts->mem_reg = s->frame_reg; ts->mem_allocated = 1; - s->current_frame_offset += sizeof(tcg_target_long); + s->current_frame_offset += (tcg_target_long)sizeof(tcg_target_long); } /* free register 'reg' by spilling the corresponding temporary if necessary */ -- 1.6.2.4 --20cf303b40457f423d04a3419154 Content-Type: text/x-diff; charset=US-ASCII; name="0005-TCG-fix-negative-frame-offset-calculations.patch" Content-Disposition: attachment; filename="0005-TCG-fix-negative-frame-offset-calculations.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gnoykrrd0 RnJvbSAxM2E0MDliYWNkNDg2MjI5M2M0ZDY1ZThiZWY2NjI3NzllNWEwZTQ3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpNZXNzYWdlLUlkOiA8MTNhNDA5YmFjZDQ4NjIyOTNjNGQ2NWU4YmVmNjYy Nzc5ZTVhMGU0Ny4xMzA1NDAxNzUwLmdpdC5ibGF1d2lyYmVsQGdtYWlsLmNvbT4KSW4tUmVwbHkt VG86IDw2ZTIxZGY4ZTM2OTM4OGEzMTUyZGNjN2RhMzA0MzFjNjcyZTFlZTM3LjEzMDU0MDE3NTAu Z2l0LmJsYXV3aXJiZWxAZ21haWwuY29tPgpSZWZlcmVuY2VzOiA8NmUyMWRmOGUzNjkzODhhMzE1 MmRjYzdkYTMwNDMxYzY3MmUxZWUzNy4xMzA1NDAxNzUwLmdpdC5ibGF1d2lyYmVsQGdtYWlsLmNv bT4KRnJvbTogQmx1ZSBTd2lybCA8YmxhdXdpcmJlbEBnbWFpbC5jb20+CkRhdGU6IFNhdCwgMTQg TWF5IDIwMTEgMTQ6MDM6MjIgKzAwMDAKU3ViamVjdDogW1BBVENIIDA1LzExXSBUQ0c6IGZpeCBu ZWdhdGl2ZSBmcmFtZSBvZmZzZXQgY2FsY3VsYXRpb25zCgpzaXplX3QgaXMgdW5zaWduZWQsIHNv IHRoZSBmcmFtZSBvZmZzZXQgY2FsY3VsYXRpb25zIGNhbiBiZSBpbmNvcnJlY3QgZm9yCm5lZ2F0 aXZlIG9mZnNldHMuCgpTaWduZWQtb2ZmLWJ5OiBCbHVlIFN3aXJsIDxibGF1d2lyYmVsQGdtYWls LmNvbT4KLS0tCiB0Y2cvdGNnLmMgfCAgIDEwICsrKysrKystLS0KIDEgZmlsZXMgY2hhbmdlZCwg NyBpbnNlcnRpb25zKCspLCAzIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL3RjZy90Y2cuYyBi L3RjZy90Y2cuYwppbmRleCA4NzQ4YzA1Li43NTk3MmMzIDEwMDY0NAotLS0gYS90Y2cvdGNnLmMK KysrIGIvdGNnL3RjZy5jCkBAIC0xNDM0LDEzICsxNDM0LDE3IEBAIHN0YXRpYyB2b2lkIHRlbXBf YWxsb2NhdGVfZnJhbWUoVENHQ29udGV4dCAqcywgaW50IHRlbXApCiB7CiAgICAgVENHVGVtcCAq dHM7CiAgICAgdHMgPSAmcy0+dGVtcHNbdGVtcF07Ci0gICAgcy0+Y3VycmVudF9mcmFtZV9vZmZz ZXQgPSAocy0+Y3VycmVudF9mcmFtZV9vZmZzZXQgKyBzaXplb2YodGNnX3RhcmdldF9sb25nKSAt IDEpICYgfihzaXplb2YodGNnX3RhcmdldF9sb25nKSAtIDEpOwotICAgIGlmIChzLT5jdXJyZW50 X2ZyYW1lX29mZnNldCArIHNpemVvZih0Y2dfdGFyZ2V0X2xvbmcpID4gcy0+ZnJhbWVfZW5kKQor ICAgIHMtPmN1cnJlbnRfZnJhbWVfb2Zmc2V0ID0gKHMtPmN1cnJlbnRfZnJhbWVfb2Zmc2V0ICsK KyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAodGNnX3RhcmdldF9sb25nKXNpemVvZih0 Y2dfdGFyZ2V0X2xvbmcpIC0gMSkgJgorICAgICAgICB+KHNpemVvZih0Y2dfdGFyZ2V0X2xvbmcp IC0gMSk7CisgICAgaWYgKHMtPmN1cnJlbnRfZnJhbWVfb2Zmc2V0ICsgKHRjZ190YXJnZXRfbG9u ZylzaXplb2YodGNnX3RhcmdldF9sb25nKSA+CisgICAgICAgIHMtPmZyYW1lX2VuZCkgewogICAg ICAgICB0Y2dfYWJvcnQoKTsKKyAgICB9CiAgICAgdHMtPm1lbV9vZmZzZXQgPSBzLT5jdXJyZW50 X2ZyYW1lX29mZnNldDsKICAgICB0cy0+bWVtX3JlZyA9IHMtPmZyYW1lX3JlZzsKICAgICB0cy0+ bWVtX2FsbG9jYXRlZCA9IDE7Ci0gICAgcy0+Y3VycmVudF9mcmFtZV9vZmZzZXQgKz0gc2l6ZW9m KHRjZ190YXJnZXRfbG9uZyk7CisgICAgcy0+Y3VycmVudF9mcmFtZV9vZmZzZXQgKz0gKHRjZ190 YXJnZXRfbG9uZylzaXplb2YodGNnX3RhcmdldF9sb25nKTsKIH0KIAogLyogZnJlZSByZWdpc3Rl ciAncmVnJyBieSBzcGlsbGluZyB0aGUgY29ycmVzcG9uZGluZyB0ZW1wb3JhcnkgaWYgbmVjZXNz YXJ5ICovCi0tIAoxLjcuMi41Cgo= --20cf303b40457f423d04a3419154--