Overflow can occur in a situation where desc->source_address
has a maximum value (pow(2, 32) - 1), so add a cast to a
larger type before the assignment.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiup...@astralinux.ru>
---
hw/dma/xlnx_dpdma.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index 1f5cd64ed1..224259225c 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -175,24 +175,24 @@ static uint64_t
xlnx_dpdma_desc_get_source_address(DPDMADescriptor *desc,
switch (frag) {
case 0:
- addr = desc->source_address
- + (extract32(desc->address_extension, 16, 12) << 20);
+ addr = (uint64_t)(desc->source_address
+ + (extract32(desc->address_extension, 16, 12) << 20));
break;
case 1:
- addr = desc->source_address2
- + (extract32(desc->address_extension_23, 0, 12) << 8);
+ addr = (uint64_t)(desc->source_address2
+ + (extract32(desc->address_extension_23, 0, 12) << 8));
break;
case 2:
- addr = desc->source_address3
- + (extract32(desc->address_extension_23, 16, 12) << 20);
+ addr = (uint64_t)(desc->source_address3
+ + (extract32(desc->address_extension_23, 16, 12) << 20));
break;
case 3:
- addr = desc->source_address4
- + (extract32(desc->address_extension_45, 0, 12) << 8);
+ addr = (uint64_t)(desc->source_address4
+ + (extract32(desc->address_extension_45, 0, 12) << 8));
break;
case 4:
- addr = desc->source_address5
- + (extract32(desc->address_extension_45, 16, 12) << 20);
+ addr = (uint64_t)(desc->source_address5
+ + (extract32(desc->address_extension_45, 16, 12) << 20));
break;
default:
addr = 0;
--
2.30.2
