From 096e55ff7f71e0e6eea47c80e385a9891ccaacf9 Mon Sep 17 00:00:00 2001 From: yinxiuxiu Date: Fri, 22 Nov 2024 07:53:07 +0000 Subject: [PATCH] update hw/intc/openpic.c. cherry-pick from 3bf7dcd47a3da0e86a9347ce5b2b5d5a1dcb5857 Avoid taking address of out-of-bounds array index This is because we do src = &opp->src[n_IRQ]; when n_IRQ may be -1. This is in practice harmless because if n_IRQ is -1 then we don't do anything with the src pointer, but it is undefined behaviour. (This has been present since this device was first added to QEMU.) Signed-off-by: Peter Maydell peter.maydell@linaro.org Reviewed-by: Richard Henderson richard.henderson@linaro.org Reviewed-by: Mark Cave-Ayland mark.cave-ayland@ilande.co.uk Message-id: 20241105180205.3074071-1-peter.maydell@linaro.org Signed-off-by: yinxiuxiu yinxiuxiu_yewu@cmss.chinamobile.com Signed-off-by: yinxiuxiu --- hw/intc/openpic.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c index 9792a11224..6f13af326d 100644 --- a/hw/intc/openpic.c +++ b/hw/intc/openpic.c @@ -1032,13 +1032,14 @@ static void openpic_cpu_write_internal(void *opaque, hwaddr addr, s_IRQ = IRQ_get_next(opp, &dst->servicing); /* Check queued interrupts. */ n_IRQ = IRQ_get_next(opp, &dst->raised); - src = &opp->src[n_IRQ]; - if (n_IRQ != -1 && - (s_IRQ == -1 || - IVPR_PRIORITY(src->ivpr) > dst->servicing.priority)) { - DPRINTF("Raise OpenPIC INT output cpu %d irq %d", - idx, n_IRQ); - qemu_irq_raise(opp->dst[idx].irqs[OPENPIC_OUTPUT_INT]); + if (n_IRQ != -1) { + src = &opp->src[n_IRQ]; + if (s_IRQ == -1 || + IVPR_PRIORITY(src->ivpr) > dst->servicing.priority) { + DPRINTF("Raise OpenPIC INT output cpu %d irq %d", + idx, n_IRQ); + qemu_irq_raise(opp->dst[idx].irqs[OPENPIC_OUTPUT_INT]); + } } break; default: -- Gitee