Coverity pointed out a problem in the bcm2835_property handling of the OTP access properties, where a mixup between uint32_t and int meant that the guest could hand us a very large unsigned value that we would end up treating as a negative number. In the course of fixing that I noticed that we also don't handle the set-palette property correctly. This series: * fixes set-palette (enforcing the range restrictions on the inputs from the guest and getting the loop termination condition correct) * uses uint32_t rather than int for the loop variable in the OTP access properties to avoid the overflow problem * cleans up the code by making various variables have only the scope they need rather than being declared once at the top of this 400 line function
Only patches 1 and 2 are strictly bugfixes (and cc'd to stable); patches 3 and 4 are small and safe but don't really need to be backported. thanks -- PMM Peter Maydell (4): hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE hw/misc/bcm2835_property: Avoid overflow in OTP access properties hw/misc/bcm2835_property: Restrict scope of start_num, number, otp_row hw/misc/bcm2835_property: Reduce scope of variables in mbox push function hw/misc/bcm2835_property.c | 91 +++++++++++++++++++++----------------- 1 file changed, 50 insertions(+), 41 deletions(-) -- 2.34.1