When translating "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698 Reported-by: Siqi Chen <coc.c...@gmail.com> Signed-off-by: Siqi Chen <coc.c...@gmail.com> --- target/tricore/translate.c | 1 + 1 file changed, 1 insertion(+) diff --git a/target/tricore/translate.c b/target/tricore/translate.c index cd33a1dcdd..3b8d3f53ee 100644 --- a/target/tricore/translate.c +++ b/target/tricore/translate.c @@ -5331,6 +5331,7 @@ static void decode_rcrw_insert(DisasContext *ctx) switch (op2) { case OPC2_32_RCRW_IMASK: + CHECK_REG_PAIR(r4); tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f); tcg_gen_movi_tl(temp2, (1 << width) - 1); tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp); -- 2.34.1
