[v3,4/4] vga: Fix divide-by-zero in vga_update_text

From: Gonglei <arei.gonglei@huawei.com>

Spotted by Coverity:

(20) Event cond_true:  Condition "cursor_visible", taking true branch
(21) Event cond_true:  Condition "cursor_offset < size", taking true branch
(22) Event cond_true:  Condition "cursor_offset >= 0", taking true branch

2097    if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
(23) Event divide_by_zero:  In expression "cursor_offset / width",
division by expression "width" which may be zero has undefined behavior.

2098                    dpy_text_cursor(s->con,
2099                                    TEXTMODE_X(cursor_offset),
2100                                    TEXTMODE_Y(cursor_offset));

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
 hw/display/vga.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Hi,

> 2097    if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
> (23) Event divide_by_zero:  In expression "cursor_offset / width",
> division by expression "width" which may be zero has undefined behavior.

> -            if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
> +            if (cursor_visible && cursor_offset < size && cursor_offset > 0)
>                  dpy_text_cursor(s->con,
>                                  TEXTMODE_X(cursor_offset),
>                                  TEXTMODE_Y(cursor_offset));

That doesn't fix the reported issue.  It's "width" which Coverity thinks
might be zero, not cursor_offset.  And cursor_offset being zero is
perfectly fine, happens when the cursor is in the upper left corner.

I have no idea why Coverity thinks width can be zero there.  Line 2047:

        width = (s->cr[VGA_CRTC_H_DISP] + 1);

(where cr is uint8_t).  Hmm, maybe for the wraparound case (i.e.
s->cr[VGA_CRTC_H_DISP] == 0xff)?

cheers,
  Gerd

Il 12/06/2014 12:43, Gerd Hoffmann ha scritto:
> That doesn't fix the reported issue.  It's "width" which Coverity thinks
> might be zero, not cursor_offset.  And cursor_offset being zero is
> perfectly fine, happens when the cursor is in the upper left corner.
>
> I have no idea why Coverity thinks width can be zero there.  Line 2047:
>
>         width = (s->cr[VGA_CRTC_H_DISP] + 1);
>
> (where cr is uint8_t).  Hmm, maybe for the wraparound case (i.e.
> s->cr[VGA_CRTC_H_DISP] == 0xff)?

Not even that, the result is 0x100, math is done on the "int" data type.

In fact I don't even see this defect on scan.coverity.com.

Paolo

> -----Original Message-----

> From: Gerd Hoffmann [mailto:kraxel@redhat.com]

> Sent: Thursday, June 12, 2014 6:44 PM

> To: Gonglei (Arei)

> Cc: qemu-devel@nongnu.org; pbonzini@redhat.com; lcapitulino@redhat.com;

> av1474@comtv.ru; stefanha@redhat.com; Luonengjun; Huangweidong (C)

> Subject: Re: [PATCH v3 4/4] vga: Fix divide-by-zero in vga_update_text

> 

>   Hi,

> 

> > 2097    if (cursor_visible && cursor_offset < size && cursor_offset >= 0)

> > (23) Event divide_by_zero:  In expression "cursor_offset / width",

> > division by expression "width" which may be zero has undefined behavior.

> 

> > -            if (cursor_visible && cursor_offset < size && cursor_offset >=

> 0)

> > +            if (cursor_visible && cursor_offset < size && cursor_offset >

> 0)

> >                  dpy_text_cursor(s->con,

> >                                  TEXTMODE_X(cursor_offset),

> >                                  TEXTMODE_Y(cursor_offset));

> 

> That doesn't fix the reported issue.  It's "width" which Coverity thinks

> might be zero, not cursor_offset.  And cursor_offset being zero is

> perfectly fine, happens when the cursor is in the upper left corner.

> 

Yep, I'm sorry for this fault.

> I have no idea why Coverity thinks width can be zero there.  Line 2047:

> 

>         width = (s->cr[VGA_CRTC_H_DISP] + 1);

> 

> (where cr is uint8_t).  Hmm, maybe for the wraparound case (i.e.

> s->cr[VGA_CRTC_H_DISP] == 0xff)?

> 

> cheers,

>   Gerd

> 


Best regards,
-Gonglei