From 7e4ac9e86ef286c1418ea32aaf5b48646a952ac4 Mon Sep 17 00:00:00 2001 From: Chen Huitao Date: Fri, 10 Jan 2020 23:05:44 +0800 Subject: [PATCH] fix some oss-fuzz (#1184) * fix oss-fuzz 10419. * fix oss-fuzz 10427. * fix oss-fuzz 10421. * fix oss-fuzz 10422. * fix oss-fuzz 10425. * fix oss-fuzz 10426. * fix oss-fuzz 10426. * fix oss-fuzz 10422. * fix oss-fuzz 10426. * fix oss-fuzz 10456. * fix oss-fuzz 10428. * fix oss-fuzz 10429. * fix oss-fuzz 10431. * fix oss-fuzz 10435. * fix oss-fuzz 10430. * fix oss-fuzz 10436. * remove unused var. * fix oss-fuzz 10449. * fix oss-fuzz 10452. * fix oss-fuzz 11792. * fix oss-fuzz 10457. * fix oss-fuzz 11737. * fix oss-fuzz 10458. * fix oss-fuzz 10565. * fix oss-fuzz 11651. * fix oss-fuzz 10497. * fix oss-fuzz 10515. * fix oss-fuzz 10586. * fix oss-fuzz 10597. * fiz oss-fuzz 11721. * fix oss-fuzz 10718. * fix oss-fuzz 15610. * fix oss-fuzz 10512. * fix oss-fuzz 10545. * fix oss-fuzz 10598. * fix oss-fuzz 11112. * fix oss-fuzz 11589. * fix oss-fuzz 10674. * git fix oss-fuzz 19610. * fix oss-fuzz 19848. * fix oss-fuzz 19851. * fix oss-fuzz 19852. * fix oss-fuzz 10878. * fix oss-fuzz 11655. * fix oss-fuzz 19849. * fix oss-fuzz 11765. * fix oss-fuzz 10337. * fix oss-fuzz 10575. * fix oss-fuzz 19877. * fix oss-fuzz 19895. * fix oss-fuzz 19896. * fix oss-fuzz 19897. * remove verbose fprintf output. --- qemu/fpu/softfloat.c | 4 ++-- qemu/target-arm/internals.h | 2 +- qemu/target-arm/neon_helper.c | 2 +- qemu/target-arm/translate-a64.c | 6 +++--- qemu/target-arm/translate.c | 12 +++++++----- qemu/target-i386/fpu_helper.c | 6 ++++-- qemu/target-i386/int_helper.c | 2 +- qemu/target-i386/ops_sse.h | 6 +++--- qemu/target-i386/translate.c | 2 +- qemu/target-m68k/helper.c | 10 +++++----- qemu/target-mips/translate.c | 16 ++++++++-------- qemu/tcg/tcg.c | 4 ++-- 12 files changed, 38 insertions(+), 34 deletions(-) diff --git a/qemu/fpu/softfloat.c b/qemu/fpu/softfloat.c index b6d10784..724cea86 100644 --- a/qemu/fpu/softfloat.c +++ b/qemu/fpu/softfloat.c @@ -130,7 +130,7 @@ static int32 roundAndPackInt32( flag zSign, uint64_t absZ STATUS_PARAM) absZ = ( absZ + roundIncrement )>>7; absZ &= ~ ( ( ( roundBits ^ 0x40 ) == 0 ) & roundNearestEven ); z = (int32_t)absZ; - if ( zSign ) z = - z; + if ( zSign && (z != 0x80000000)) z = - z; if ( ( absZ>>32 ) || ( z && ( ( z < 0 ) ^ zSign ) ) ) { float_raise( float_flag_invalid STATUS_VAR); return zSign ? (int32_t) 0x80000000 : 0x7FFFFFFF; @@ -1220,7 +1220,7 @@ float64 int32_to_float64(int32_t a STATUS_PARAM) if ( a == 0 ) return float64_zero; zSign = ( a < 0 ); - absA = zSign ? - a : a; + absA = (zSign & (a != 0x80000000)) ? - a : a; shiftCount = countLeadingZeros32( absA ) + 21; zSig = absA; return packFloat64( zSign, 0x432 - shiftCount, zSig<uc->tcg_ctx; int rt = extract32(insn, 0, 5); - int64_t imm = sextract32(insn, 5, 19) << 2; + int64_t imm = (int32_t)(((uint32_t)sextract32(insn, 5, 19)) << 2); bool is_vector = extract32(insn, 26, 1); int opc = extract32(insn, 30, 2); bool is_signed = false; @@ -2684,14 +2684,14 @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn) page = extract32(insn, 31, 1); /* SignExtend(immhi:immlo) -> offset */ - offset = ((int64_t)sextract32(insn, 5, 19) << 2) | extract32(insn, 29, 2); + offset = (int64_t)((uint64_t)sextract32(insn, 5, 19) << 2) | extract32(insn, 29, 2); rd = extract32(insn, 0, 5); base = s->pc - 4; if (page) { /* ADRP (page based) */ base &= ~0xfff; - offset <<= 12; + offset = ((uint64_t)offset) << 12; } tcg_gen_movi_i64(tcg_ctx, cpu_reg(s, rd), base + offset); diff --git a/qemu/target-arm/translate.c b/qemu/target-arm/translate.c index 576dfd66..db7aec59 100644 --- a/qemu/target-arm/translate.c +++ b/qemu/target-arm/translate.c @@ -132,7 +132,7 @@ static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg) addr = (long)s->pc + 4; tcg_gen_movi_i32(tcg_ctx, var, addr); } else { - tcg_gen_mov_i32(tcg_ctx, var, tcg_ctx->cpu_R[reg]); + tcg_gen_mov_i32(tcg_ctx, var, tcg_ctx->cpu_R[(reg & 0x0f)]); } } @@ -806,8 +806,10 @@ void arm_gen_test_cc(TCGContext *tcg_ctx, int cc, int label) tcg_temp_free_i32(tcg_ctx, tmp); break; default: - fprintf(stderr, "Bad condition code 0x%x\n", cc); - abort(); + /* fprintf(stderr, "Bad condition code 0x%x\n", cc); */ + tmp = tcg_const_i32(tcg_ctx, EXCP_EXCEPTION_EXIT); + gen_helper_exception_internal(tcg_ctx, tcg_ctx->cpu_env, tmp); + tcg_temp_free_i32(tcg_ctx, tmp); } } @@ -11124,7 +11126,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq /* jump to the offset */ val = (uint32_t)s->pc + 2; - offset = ((int32_t)insn << 24) >> 24; + offset = ((int32_t)((uint32_t)insn << 24)) >> 24; val += offset << 1; gen_jmp(s, val); break; @@ -11137,7 +11139,7 @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s) // qq } /* unconditional branch */ val = (uint32_t)s->pc; - offset = ((int32_t)insn << 21) >> 21; + offset = ((int32_t)((uint32_t)insn << 21)) >> 21; val += (offset << 1) + 2; gen_jmp(s, val); break; diff --git a/qemu/target-i386/fpu_helper.c b/qemu/target-i386/fpu_helper.c index 80e48e35..5de7e2ef 100644 --- a/qemu/target-i386/fpu_helper.c +++ b/qemu/target-i386/fpu_helper.c @@ -654,7 +654,9 @@ void helper_fbst_ST0(CPUX86State *env, target_ulong ptr) mem_end = mem_ref + 9; if (val < 0) { cpu_stb_data(env, mem_end, 0x80); - val = -val; + if (val != 0x8000000000000000LL) { + val = -val; + } } else { cpu_stb_data(env, mem_end, 0x00); } @@ -664,7 +666,7 @@ void helper_fbst_ST0(CPUX86State *env, target_ulong ptr) } v = val % 100; val = val / 100; - v = ((v / 10) << 4) | (v % 10); + v = (int)((unsigned int)(v / 10) << 4) | (v % 10); cpu_stb_data(env, mem_ref++, v); } while (mem_ref < mem_end) { diff --git a/qemu/target-i386/int_helper.c b/qemu/target-i386/int_helper.c index 6d73ac9a..b79b2242 100644 --- a/qemu/target-i386/int_helper.c +++ b/qemu/target-i386/int_helper.c @@ -352,7 +352,7 @@ static int idiv64(uint64_t *plow, uint64_t *phigh, int64_t b) neg128(plow, phigh); } sb = (b < 0); - if (sb) { + if (sb && (b != 0x8000000000000000LL)) { b = -b; } if (div64(plow, phigh, b) != 0) { diff --git a/qemu/target-i386/ops_sse.h b/qemu/target-i386/ops_sse.h index 3d5ef570..5c0301d8 100644 --- a/qemu/target-i386/ops_sse.h +++ b/qemu/target-i386/ops_sse.h @@ -852,7 +852,7 @@ static inline uint64_t helper_extrq(uint64_t src, int shift, int len) if (len == 0) { mask = ~0LL; } else { - mask = (1ULL << len) - 1; + mask = (1ULL << (len & 0x3f)) - 1; } return (src >> shift) & mask; } @@ -1469,8 +1469,8 @@ void glue(helper_phsubw, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) void glue(helper_phsubd, SUFFIX)(CPUX86State *env, Reg *d, Reg *s) { - d->L(0) = (int32_t)d->L(0) - (int32_t)d->L(1); - XMM_ONLY(d->L(1) = (int32_t)d->L(2) - (int32_t)d->L(3)); + d->L(0) = (int32_t)((int64_t)d->L(0) - (int64_t)d->L(1)); + XMM_ONLY(d->L(1) = (int32_t)((int64_t)d->L(2) - (int64_t)d->L(3))); d->L((1 << SHIFT) + 0) = (uint32_t)((int32_t)s->L(0) - (int32_t)s->L(1)); XMM_ONLY(d->L(3) = (int32_t)s->L(2) - (int32_t)s->L(3)); } diff --git a/qemu/target-i386/translate.c b/qemu/target-i386/translate.c index 0370f9b7..cdfd7144 100644 --- a/qemu/target-i386/translate.c +++ b/qemu/target-i386/translate.c @@ -1014,7 +1014,7 @@ static CCPrepare gen_prepare_eflags_c(DisasContext *s, TCGv reg) /* (CC_SRC >> (DATA_BITS - 1)) & 1 */ size = s->cc_op - CC_OP_SHLB; shift = (8 << size) - 1; - return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, (target_ulong)(1U << shift), false, false); + return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, (target_ulong)(1ULL << shift), false, false); case CC_OP_MULB: case CC_OP_MULW: case CC_OP_MULL: case CC_OP_MULQ: return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, -1, false, false); diff --git a/qemu/target-m68k/helper.c b/qemu/target-m68k/helper.c index c685e7e0..6bbdb312 100644 --- a/qemu/target-m68k/helper.c +++ b/qemu/target-m68k/helper.c @@ -169,10 +169,10 @@ void HELPER(set_macsr)(CPUM68KState *env, uint32_t val) } if (env->macsr & MACSR_FI) { regval = (((uint64_t)acc) << 8) | extlow; - regval |= ((int64_t)exthigh) << 40; + regval |= ((uint64_t)((int64_t)exthigh)) << 40; } else if (env->macsr & MACSR_SU) { regval = acc | (((int64_t)extlow) << 32); - regval |= ((int64_t)exthigh) << 40; + regval |= ((uint64_t)((int64_t)exthigh)) << 40; } else { regval = acc | (((uint64_t)extlow) << 32); regval |= ((uint64_t)(uint8_t)exthigh) << 40; @@ -609,7 +609,7 @@ void HELPER(macsatf)(CPUM68KState *env, uint32_t acc) int64_t result; sum = env->macc[acc]; - result = (sum << 16) >> 16; + result = ((int64_t)((uint64_t)sum << 16)) >> 16; if (result != sum) { env->macsr |= MACSR_V; } @@ -762,11 +762,11 @@ void HELPER(set_mac_exts)(CPUM68KState *env, uint32_t val, uint32_t acc) int32_t tmp; res = (uint32_t)env->macc[acc]; tmp = (int16_t)val; - res |= ((int64_t)tmp) << 32; + res |= ((uint64_t)((int64_t)tmp)) << 32; env->macc[acc] = res; res = (uint32_t)env->macc[acc + 1]; tmp = val & 0xffff0000; - res |= (int64_t)tmp << 16; + res |= ((uint64_t)((int64_t)tmp)) << 16; env->macc[acc + 1] = res; } diff --git a/qemu/target-mips/translate.c b/qemu/target-mips/translate.c index c9d5aa98..c0c1c1eb 100644 --- a/qemu/target-mips/translate.c +++ b/qemu/target-mips/translate.c @@ -1703,7 +1703,7 @@ static inline void gen_op_addr_add (DisasContext *ctx, TCGv ret, TCGv arg0, TCGv static target_long addr_add(DisasContext *ctx, target_long base, target_long offset) { - target_long sum = base + offset; + target_long sum = (target_long)((target_ulong)base + offset); #if defined(TARGET_MIPS64) if (ctx->hflags & MIPS_HFLAG_AWRAP) { @@ -8505,7 +8505,7 @@ static void gen_movci (DisasContext *ctx, int rd, int rs, int cc, int tf) l1 = gen_new_label(tcg_ctx); t0 = tcg_temp_new_i32(tcg_ctx); - tcg_gen_andi_i32(tcg_ctx, t0, tcg_ctx->fpu_fcr31, 1 << get_fp_bit(cc)); + tcg_gen_andi_i32(tcg_ctx, t0, tcg_ctx->fpu_fcr31, 1U << get_fp_bit(cc)); tcg_gen_brcondi_i32(tcg_ctx, cond, t0, 0, l1); tcg_temp_free_i32(tcg_ctx, t0); if (rs == 0) { @@ -11378,12 +11378,12 @@ static int decode_mips16_opc (CPUMIPSState *env, DisasContext *ctx, bool *insn_n break; case M16_OPC_BEQZ: gen_compute_branch(ctx, OPC_BEQ, 2, rx, 0, - ((int8_t)ctx->opcode) << 1, 0); + ((uint8_t)ctx->opcode) << 1, 0); /* No delay slot, so just process as a normal instruction */ break; case M16_OPC_BNEQZ: gen_compute_branch(ctx, OPC_BNE, 2, rx, 0, - ((int8_t)ctx->opcode) << 1, 0); + ((uint8_t)ctx->opcode) << 1, 0); /* No delay slot, so just process as a normal instruction */ break; case M16_OPC_SHIFT: @@ -11456,18 +11456,18 @@ static int decode_mips16_opc (CPUMIPSState *env, DisasContext *ctx, bool *insn_n switch (funct) { case I8_BTEQZ: gen_compute_branch(ctx, OPC_BEQ, 2, 24, 0, - ((int8_t)ctx->opcode) << 1, 0); + ((uint8_t)ctx->opcode) << 1, 0); break; case I8_BTNEZ: gen_compute_branch(ctx, OPC_BNE, 2, 24, 0, - ((int8_t)ctx->opcode) << 1, 0); + ((uint8_t)ctx->opcode) << 1, 0); break; case I8_SWRASP: gen_st(ctx, OPC_SW, 31, 29, (ctx->opcode & 0xff) << 2); break; case I8_ADJSP: gen_arith_imm(ctx, OPC_ADDIU, 29, 29, - ((int8_t)ctx->opcode) << 3); + ((uint8_t)ctx->opcode) << 3); break; case I8_SVRS: { @@ -17488,7 +17488,7 @@ static void gen_msa_branch(CPUMIPSState *env, DisasContext *ctx, uint32_t op1) break; } - ctx->btarget = ctx->pc + (s16 << 2) + 4; + ctx->btarget = ctx->pc + (int64_t)((uint64_t)s16 << 2) + 4; ctx->hflags |= MIPS_HFLAG_BC; ctx->hflags |= MIPS_HFLAG_BDS32; diff --git a/qemu/tcg/tcg.c b/qemu/tcg/tcg.c index c82e33b7..93a327e8 100644 --- a/qemu/tcg/tcg.c +++ b/qemu/tcg/tcg.c @@ -263,7 +263,7 @@ void *tcg_malloc_internal(TCGContext *s, int size) if (size > TCG_POOL_CHUNK_SIZE) { /* big malloc: insert a new pool (XXX: could optimize) */ - p = g_malloc(sizeof(TCGPool) + size); + p = g_malloc0(sizeof(TCGPool) + size); p->size = size; p->next = s->pool_first_large; s->pool_first_large = p; @@ -278,7 +278,7 @@ void *tcg_malloc_internal(TCGContext *s, int size) if (!p->next) { new_pool: pool_size = TCG_POOL_CHUNK_SIZE; - p = g_malloc(sizeof(TCGPool) + pool_size); + p = g_malloc0(sizeof(TCGPool) + pool_size); p->size = pool_size; p->next = NULL; if (s->pool_current)