address and config_size are both unsigned.
So check which is bigger before minus operation.
Otherwise the result of minus can be unexpected
big value.
Signed-off-by: Isaku Yamahata <yamah...@valinux.co.jp>
---
hw/pci.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/hw/pci.c b/hw/pci.c
index 3362842..39a6206 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -988,9 +988,14 @@ uint32_t pci_default_read_config(PCIDevice *d,
uint32_t address, int len)
{
uint32_t val = 0;
+ uint32_t config_size = pci_config_size(d);
assert(len == 1 || len == 2 || len == 4);
- len = MIN(len, pci_config_size(d) - address);
- memcpy(&val, d->config + address, len);
+ if (address < config_size) {
+ len = MIN(len, config_size - address);
+ memcpy(&val, d->config + address, len);
+ } else {
+ val = ~0;
+ }
return le32_to_cpu(val);
}
--
1.6.6.1
