On Sun, Jun 27, 2010 at 12:06:11AM +0200, Andi Kleen wrote:
> Add more boundary checking to sse3/4 parsing
>
> s?sse3 uses tables with only two entries per op, but it is indexed
> with b1 which can contain variables upto 3. This happens when ssse3
> or sse4 are used with REP* prefixes.
>
> Add boundary checking for this case.
>
> Signed-off-by: Andi Kleen <a...@linux.intel.com>
Thanks, applied.
> diff --git a/target-i386/translate.c b/target-i386/translate.c
> index 1336d6f..aae0374 100644
> --- a/target-i386/translate.c
> +++ b/target-i386/translate.c
> @@ -3472,6 +3472,8 @@ static void gen_sse(DisasContext *s, int b,
> target_ulong pc_start, int rex_r)
> case 0x171: /* shift xmm, im */
> case 0x172:
> case 0x173:
> + if (b1 >= 2)
> + goto illegal_op;
> val = ldub_code(s->pc++);
> if (is_xmm) {
> gen_op_movl_T0_im(val);
> @@ -3699,6 +3701,8 @@ static void gen_sse(DisasContext *s, int b,
> target_ulong pc_start, int rex_r)
> rm = modrm & 7;
> reg = ((modrm >> 3) & 7) | rex_r;
> mod = (modrm >> 6) & 3;
> + if (b1 >= 2)
> + goto illegal_op;
>
> sse_op2 = sse_op_table6[b].op[b1];
> if (!sse_op2)
> @@ -3798,6 +3802,8 @@ static void gen_sse(DisasContext *s, int b,
> target_ulong pc_start, int rex_r)
> rm = modrm & 7;
> reg = ((modrm >> 3) & 7) | rex_r;
> mod = (modrm >> 6) & 3;
> + if (b1 >= 2)
> + goto illegal_op;
>
> sse_op2 = sse_op_table7[b].op[b1];
> if (!sse_op2)
>
>
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurel...@aurel32.net http://www.aurel32.net
