Patchwork qxl: Slot sanity check in qxl_phys2virt() is off by one, fix

login
register
mail settings
Submitter Markus Armbruster
Date Nov. 4, 2011, 9:34 a.m.
Message ID <1320399264-28581-1-git-send-email-armbru@redhat.com>
Download mbox | patch
Permalink /patch/123577/
State New
Headers show

Comments

Markus Armbruster - Nov. 4, 2011, 9:34 a.m.
Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
 hw/qxl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Gerd Hoffmann - Nov. 9, 2011, 12:33 p.m.
On 11/04/11 10:34, Markus Armbruster wrote:
> Spotted by Coverity.

Patch added to spice patch queue.

thanks,
  Gerd
Markus Armbruster - Jan. 17, 2012, 9:08 a.m.
Ping?

Markus Armbruster <armbru@redhat.com> writes:

> Spotted by Coverity.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
> ---
>  hw/qxl.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/qxl.c b/hw/qxl.c
> index 84ffd45..c97bebe 100644
> --- a/hw/qxl.c
> +++ b/hw/qxl.c
> @@ -1006,7 +1006,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
>      case MEMSLOT_GROUP_HOST:
>          return (void*)offset;
>      case MEMSLOT_GROUP_GUEST:
> -        PANIC_ON(slot > NUM_MEMSLOTS);
> +        PANIC_ON(slot >= NUM_MEMSLOTS);
>          PANIC_ON(!qxl->guest_slots[slot].active);
>          PANIC_ON(offset < qxl->guest_slots[slot].delta);
>          offset -= qxl->guest_slots[slot].delta;
Alon Levy - Jan. 17, 2012, 11:57 a.m.
On Tue, Jan 17, 2012 at 10:08:47AM +0100, Markus Armbruster wrote:
> Ping?
> 
> Markus Armbruster <armbru@redhat.com> writes:
> 

Reviewed-by: Alon Levy <alevy@redhat.com>

> > Spotted by Coverity.
> >
> > Signed-off-by: Markus Armbruster <armbru@redhat.com>
> > ---
> >  hw/qxl.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/hw/qxl.c b/hw/qxl.c
> > index 84ffd45..c97bebe 100644
> > --- a/hw/qxl.c
> > +++ b/hw/qxl.c
> > @@ -1006,7 +1006,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
> >      case MEMSLOT_GROUP_HOST:
> >          return (void*)offset;
> >      case MEMSLOT_GROUP_GUEST:
> > -        PANIC_ON(slot > NUM_MEMSLOTS);
> > +        PANIC_ON(slot >= NUM_MEMSLOTS);
> >          PANIC_ON(!qxl->guest_slots[slot].active);
> >          PANIC_ON(offset < qxl->guest_slots[slot].delta);
> >          offset -= qxl->guest_slots[slot].delta;
>
Gerd Hoffmann - Jan. 17, 2012, 3:50 p.m.
On 01/17/12 10:08, Markus Armbruster wrote:
> Ping?

Sitting lonely in the spice patch queue.
/me completely forgot that the spice patch queue isn't empty ...

cheers,
  Gerd

Patch

diff --git a/hw/qxl.c b/hw/qxl.c
index 84ffd45..c97bebe 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1006,7 +1006,7 @@  void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
     case MEMSLOT_GROUP_HOST:
         return (void*)offset;
     case MEMSLOT_GROUP_GUEST:
-        PANIC_ON(slot > NUM_MEMSLOTS);
+        PANIC_ON(slot >= NUM_MEMSLOTS);
         PANIC_ON(!qxl->guest_slots[slot].active);
         PANIC_ON(offset < qxl->guest_slots[slot].delta);
         offset -= qxl->guest_slots[slot].delta;