Coverity pointed out a problem in the bcm2835_property handling of
the OTP access properties, where a mixup between uint32_t and int
meant that the guest could hand us a very large unsigned value
that we would end up treating as a negative number. In the course
of fixing that I noticed that we also don't handle the set-palette
property correctly. This series:
* fixes set-palette (enforcing the range restrictions on the
inputs from the guest and getting the loop termination condition
correct)
* uses uint32_t rather than int for the loop variable in the
OTP access properties to avoid the overflow problem
* cleans up the code by making various variables have only the
scope they need rather than being declared once at the top of
this 400 line function
Only patches 1 and 2 are strictly bugfixes (and cc'd to stable); patches
3 and 4 are small and safe but don't really need to be backported.
thanks
-- PMM
Peter Maydell (4):
hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE
hw/misc/bcm2835_property: Avoid overflow in OTP access properties
hw/misc/bcm2835_property: Restrict scope of start_num, number, otp_row
hw/misc/bcm2835_property: Reduce scope of variables in mbox push
function
hw/misc/bcm2835_property.c | 91 +++++++++++++++++++++-----------------
1 file changed, 50 insertions(+), 41 deletions(-)
--
2.34.1
