On 29/7/25 14:16, Markus Armbruster wrote:
Philippe Mathieu-Daudé <phi...@linaro.org> writes:
On 29/7/25 13:12, Markus Armbruster wrote:
xenfb_mouse_event() has a switch statement whose controlling
expression move->axis is an enum InputAxis. The enum values are
INPUT_AXIS_X and INPUT_AXIS_Y, encoded as 0 and 1. The switch has a
case for both axes. In addition, it has an unreachable default label.
This convinces Coverity that move->axis can be greater than 1. It
duly reports a buffer overrun when it is used to subscript an array
with two elements.
Replace the unreachable code by abort().
Resolves: Coverity CID 1613906
Signed-off-by: Markus Armbruster <arm...@redhat.com>
---
hw/display/xenfb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 22822fecea..5e6c691779 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -283,8 +283,7 @@ static void xenfb_mouse_event(DeviceState *dev, QemuConsole
*src,
scale = surface_height(surface) - 1;
break;
default:
- scale = 0x8000;
- break;
+ abort();
We prefer GLib g_assert_not_reached() over abort() because it displays
the file, line number & function before aborting.
The purpose of this line is to tell the compiler we can't get there,
with the least amount of ceremony.
We have ~600 calls of abort().
And ~1600 of g_assert_not_reached() =)
$ git grep -w 'abort();' | wc -l
556
$ git grep -w 'g_assert_not_reached();' | wc -l
1551
Whoever merges this: feel free to replace by g_assert_not_reached().
}
xenfb->axis[move->axis] = move->value * scale / 0x7fff;
}
