From: Denis Rastyogin <ger...@altlinux.org>
Accessing s->core_registers (size 236) could overflow
if the offset goes beyond the valid range.
Since the memory region matches core_registers size exactly,
guest cannot write out-of-bounds.
Therefore, the debug assert has been refined to ensure the offset
remains within DP_CORE_REG_ARRAY_SIZE, preventing internal errors.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reported-by: David Meliksetyan <d.melikset...@fobos-nt.ru>
Signed-off-by: Denis Rastyogin <ger...@altlinux.org>
---
hw/display/xlnx_dp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index 7c980ee642..b35ee2f869 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -896,7 +896,11 @@ static void xlnx_dp_write(void *opaque, hwaddr offset,
uint64_t value,
xlnx_dp_update_irq(s);
break;
default:
- assert(offset <= (0x504C >> 2));
+ /*
+ * Check to ensure the offset is within the bounds of
+ * the core_registers[] array.
+ */
+ assert(offset < DP_CORE_REG_ARRAY_SIZE);
s->core_registers[offset] = value;
break;
}
--
2.42.2
