[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 4/4] vga: Fix divide-by-zero in vga_update_te
From: |
Gonglei (Arei) |
Subject: |
Re: [Qemu-devel] [PATCH v3 4/4] vga: Fix divide-by-zero in vga_update_text |
Date: |
Thu, 12 Jun 2014 12:58:15 +0000 |
> -----Original Message-----
> From: Gerd Hoffmann [mailto:address@hidden
> Sent: Thursday, June 12, 2014 6:44 PM
> To: Gonglei (Arei)
> Cc: address@hidden; address@hidden; address@hidden;
> address@hidden; address@hidden; Luonengjun; Huangweidong (C)
> Subject: Re: [PATCH v3 4/4] vga: Fix divide-by-zero in vga_update_text
>
> Hi,
>
> > 2097 if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
> > (23) Event divide_by_zero: In expression "cursor_offset / width",
> > division by expression "width" which may be zero has undefined behavior.
>
> > - if (cursor_visible && cursor_offset < size && cursor_offset >=
> 0)
> > + if (cursor_visible && cursor_offset < size && cursor_offset >
> 0)
> > dpy_text_cursor(s->con,
> > TEXTMODE_X(cursor_offset),
> > TEXTMODE_Y(cursor_offset));
>
> That doesn't fix the reported issue. It's "width" which Coverity thinks
> might be zero, not cursor_offset. And cursor_offset being zero is
> perfectly fine, happens when the cursor is in the upper left corner.
>
Yep, I'm sorry for this fault.
> I have no idea why Coverity thinks width can be zero there. Line 2047:
>
> width = (s->cr[VGA_CRTC_H_DISP] + 1);
>
> (where cr is uint8_t). Hmm, maybe for the wraparound case (i.e.
> s->cr[VGA_CRTC_H_DISP] == 0xff)?
>
> cheers,
> Gerd
>
Best regards,
-Gonglei
- Re: [Qemu-devel] [PATCH v3 1/4] json-parser: drop superfluous assignment for token variable, (continued)
[Qemu-devel] [PATCH v3 4/4] vga: Fix divide-by-zero in vga_update_text, arei.gonglei, 2014/06/10
[Qemu-devel] [PATCH v3 2/4] qemu-bridge-helper: Fix fd leak in main(), arei.gonglei, 2014/06/10