Am 13. Oktober 2025 11:10:45 UTC schrieb Markus Armbruster <[email protected]>:
>Ping?
>
>Markus Armbruster <[email protected]> writes:
>
>> xenfb_mouse_event() has a switch statement whose controlling
>> expression move->axis is an enum InputAxis. The enum values are
>> INPUT_AXIS_X and INPUT_AXIS_Y, encoded as 0 and 1. The switch has a
>> case for both axes. In addition, it has an unreachable default label.
>> This convinces Coverity that move->axis can be greater than 1. It
>> duly reports a buffer overrun when it is used to subscript an array
>> with two elements.
>>
>> Replace the unreachable code by abort().
>>
>> Resolves: Coverity CID 1613906
>> Signed-off-by: Markus Armbruster <[email protected]>
>> ---
>> hw/display/xenfb.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
>> index 22822fecea..5e6c691779 100644
>> --- a/hw/display/xenfb.c
>> +++ b/hw/display/xenfb.c
>> @@ -283,8 +283,7 @@ static void xenfb_mouse_event(DeviceState *dev,
>> QemuConsole *src,
>> scale = surface_height(surface) - 1;
>> break;
>> default:
>> - scale = 0x8000;
>> - break;
>> + abort();
Don't we prefer g_assert_not_reached() these days, for more expressiveness?
Best regards,
Bernhard
>> }
>> xenfb->axis[move->axis] = move->value * scale / 0x7fff;
>> }
>
>
