From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43410)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1WuIF1-0007G6-Ed
	for qemu-devel@nongnu.org; Tue, 10 Jun 2014 05:21:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1WuIEt-0002Sk-1e
	for qemu-devel@nongnu.org; Tue, 10 Jun 2014 05:21:15 -0400
Received: from szxga02-in.huawei.com ([119.145.14.65]:53101)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arei.gonglei@huawei.com>) id 1WuIEs-0002RI-5b
	for qemu-devel@nongnu.org; Tue, 10 Jun 2014 05:21:06 -0400
From: <arei.gonglei@huawei.com>
Date: Tue, 10 Jun 2014 17:20:27 +0800
Message-ID: <1402392027-9164-5-git-send-email-arei.gonglei@huawei.com>
In-Reply-To: <1402392027-9164-1-git-send-email-arei.gonglei@huawei.com>
References: <1402392027-9164-1-git-send-email-arei.gonglei@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: [Qemu-devel] [PATCH v3 4/4] vga: Fix divide-by-zero in
	vga_update_text
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: weidong.huang@huawei.com, luonengjun@huawei.com, lcapitulino@redhat.com, Gonglei <arei.gonglei@huawei.com>, av1474@comtv.ru, kraxel@redhat.com, stefanha@redhat.com, pbonzini@redhat.com

From: Gonglei <arei.gonglei@huawei.com>

Spotted by Coverity:

(20) Event cond_true:  Condition "cursor_visible", taking true branch
(21) Event cond_true:  Condition "cursor_offset < size", taking true branch
(22) Event cond_true:  Condition "cursor_offset >= 0", taking true branch

2097    if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
(23) Event divide_by_zero:  In expression "cursor_offset / width",
division by expression "width" which may be zero has undefined behavior.

2098                    dpy_text_cursor(s->con,
2099                                    TEXTMODE_X(cursor_offset),
2100                                    TEXTMODE_Y(cursor_offset));

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
 hw/display/vga.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/display/vga.c b/hw/display/vga.c
index 8cd6afe..3c1c6eb 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -2094,7 +2094,7 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
             s->cr[VGA_CRTC_CURSOR_START] != s->cursor_start ||
             s->cr[VGA_CRTC_CURSOR_END] != s->cursor_end || full_update) {
             cursor_visible = !(s->cr[VGA_CRTC_CURSOR_START] & 0x20);
-            if (cursor_visible && cursor_offset < size && cursor_offset >= 0)
+            if (cursor_visible && cursor_offset < size && cursor_offset > 0)
                 dpy_text_cursor(s->con,
                                 TEXTMODE_X(cursor_offset),
                                 TEXTMODE_Y(cursor_offset));
-- 
1.7.12.4