From 8621bca53758532ad6a4ec5d17684fcdb9923cc6 Mon Sep 17 00:00:00 2001 From: Chen Huitao Date: Sun, 5 Jan 2020 19:20:29 +0800 Subject: [PATCH] fix some oss-fuzz bugs (#1182) * fix oss-fuzz 10419. * fix oss-fuzz 10427. * fix oss-fuzz 10421. * fix oss-fuzz 10422. * fix oss-fuzz 10425. * fix oss-fuzz 10426. * fix oss-fuzz 10426. * fix oss-fuzz 10422. * fix oss-fuzz 10426. * fix oss-fuzz 10456. * fix oss-fuzz 10428. * fix oss-fuzz 10429. * fix oss-fuzz 10431. * fix oss-fuzz 10435. * fix oss-fuzz 10430. * fix oss-fuzz 10436. * remove unused var. * fix oss-fuzz 10449. * fix oss-fuzz 10452. * fix oss-fuzz 11792. * fix oss-fuzz 10457. * fix oss-fuzz 11737. * fix oss-fuzz 10458. * fix oss-fuzz 10565. * fix oss-fuzz 11651. * fix oss-fuzz 10497. * fix oss-fuzz 10515. * fix oss-fuzz 10586. * fix oss-fuzz 10597. * fiz oss-fuzz 11721. * fix oss-fuzz 10718. * fix oss-fuzz 15610. * fix oss-fuzz 10512. * fix oss-fuzz 10545. --- qemu/fpu/softfloat.c | 4 ++-- qemu/include/fpu/softfloat.h | 2 +- qemu/target-arm/helper.c | 14 +++++++------- qemu/target-arm/op_helper.c | 2 +- qemu/target-arm/translate-a64.c | 2 +- qemu/target-arm/translate.c | 2 +- qemu/target-i386/cpu.h | 2 +- qemu/target-i386/fpu_helper.c | 2 +- qemu/target-i386/ops_sse.h | 2 +- qemu/target-i386/translate.c | 2 +- qemu/target-m68k/helper.c | 8 ++++---- qemu/target-mips/cpu.h | 4 ++-- qemu/target-mips/op_helper.c | 12 ++++++------ qemu/target-mips/translate.c | 4 ++-- 14 files changed, 31 insertions(+), 31 deletions(-) diff --git a/qemu/fpu/softfloat.c b/qemu/fpu/softfloat.c index 88b6a175..b6d10784 100644 --- a/qemu/fpu/softfloat.c +++ b/qemu/fpu/softfloat.c @@ -4606,7 +4606,7 @@ int32 floatx80_to_int32( floatx80 a STATUS_PARAM ) if (floatx80_invalid_encoding(a)) { float_raise(float_flag_invalid STATUS_VAR); - return 1 << 31; + return (int32)(1U << 31); } aSig = extractFloatx80Frac( a ); aExp = extractFloatx80Exp( a ); @@ -4638,7 +4638,7 @@ int32 floatx80_to_int32_round_to_zero( floatx80 a STATUS_PARAM ) if (floatx80_invalid_encoding(a)) { float_raise(float_flag_invalid STATUS_VAR); - return 1 << 31; + return (int32)(1U << 31); } aSig = extractFloatx80Frac( a ); aExp = extractFloatx80Exp( a ); diff --git a/qemu/include/fpu/softfloat.h b/qemu/include/fpu/softfloat.h index 692f8d3f..94b4e194 100644 --- a/qemu/include/fpu/softfloat.h +++ b/qemu/include/fpu/softfloat.h @@ -419,7 +419,7 @@ static inline int float32_is_zero(float32 a) static inline int float32_is_any_nan(float32 a) { - return ((float32_val(a) & ~(1 << 31)) > 0x7f800000UL); + return ((float32_val(a) & ~(1U << 31)) > 0x7f800000UL); } static inline int float32_is_zero_or_denormal(float32 a) diff --git a/qemu/target-arm/helper.c b/qemu/target-arm/helper.c index 93521029..8f655340 100644 --- a/qemu/target-arm/helper.c +++ b/qemu/target-arm/helper.c @@ -406,11 +406,11 @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri, */ if (arm_feature(env, ARM_FEATURE_VFP)) { /* VFP coprocessor: cp10 & cp11 [23:20] */ - mask |= (1 << 31) | (1 << 30) | (0xf << 20); + mask |= (1U << 31) | (1 << 30) | (0xf << 20); if (!arm_feature(env, ARM_FEATURE_NEON)) { /* ASEDIS [31] bit is RAO/WI */ - value |= (1 << 31); + value |= (1U << 31); } /* VFPv3 and upwards with NEON implement 32 double precision @@ -575,14 +575,14 @@ static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri, static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { - value &= (1 << 31); + value &= (1U << 31); env->cp15.c9_pmcnten |= value; } static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { - value &= (1 << 31); + value &= (1U << 31); env->cp15.c9_pmcnten &= ~value; } @@ -608,14 +608,14 @@ static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { /* We have no event counters so only the C bit can be changed */ - value &= (1 << 31); + value &= (1U << 31); env->cp15.c9_pminten |= value; } static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { - value &= (1 << 31); + value &= (1U << 31); env->cp15.c9_pminten &= ~value; } @@ -2145,7 +2145,7 @@ void hw_watchpoint_update(ARMCPU *cpu, int n) * We choose to ignore any non-zero bits after the first range of 1s. */ basstart = ctz32(bas); - len = cto32(bas >> basstart); + len = cto32(bas >> (basstart & 0x1f)); wvr += basstart; } diff --git a/qemu/target-arm/op_helper.c b/qemu/target-arm/op_helper.c index 1b774054..4c8f99ce 100644 --- a/qemu/target-arm/op_helper.c +++ b/qemu/target-arm/op_helper.c @@ -118,7 +118,7 @@ uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val) res = SIGNBIT; env->QF = 1; } else { - res = val << 1; + res = (uint32_t)val << 1; } return res; } diff --git a/qemu/target-arm/translate-a64.c b/qemu/target-arm/translate-a64.c index ac130c69..eb2fd639 100644 --- a/qemu/target-arm/translate-a64.c +++ b/qemu/target-arm/translate-a64.c @@ -2839,7 +2839,7 @@ static bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn, * by r within the element (which is e bits wide)... */ mask = bitmask64(s + 1); - mask = (mask >> r) | (mask << (e - r)); + mask = (mask >> r) | (mask << ((e - r) & 0x3f) ); /* ...then replicate the element over the whole 64 bit value */ mask = bitfield_replicate(mask, e); *result = mask; diff --git a/qemu/target-arm/translate.c b/qemu/target-arm/translate.c index e34a2d4c..576dfd66 100644 --- a/qemu/target-arm/translate.c +++ b/qemu/target-arm/translate.c @@ -9900,7 +9900,7 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw if (insn & 0x5000) { /* Unconditional branch. */ /* signextend(hw1[10:0]) -> offset[:12]. */ - offset = ((int32_t)insn << 5) >> 9 & ~(int32_t)0xfff; + offset = ((int32_t)(insn << 5)) >> 9 & ~(int32_t)0xfff; /* hw1[10:0] -> offset[11:1]. */ offset |= (insn & 0x7ff) << 1; /* (~hw2[13, 11] ^ offset[24]) -> offset[23,22] diff --git a/qemu/target-i386/cpu.h b/qemu/target-i386/cpu.h index 5d55410b..00887308 100644 --- a/qemu/target-i386/cpu.h +++ b/qemu/target-i386/cpu.h @@ -265,7 +265,7 @@ #define PG_ADDRESS_MASK 0x000ffffffffff000LL #define PG_HI_RSVD_MASK (PG_ADDRESS_MASK & ~PHYS_ADDR_MASK) #define PG_HI_USER_MASK 0x7ff0000000000000LL -#define PG_NX_MASK (1LL << PG_NX_BIT) +#define PG_NX_MASK (1ULL << PG_NX_BIT) #define PG_ERROR_W_BIT 1 diff --git a/qemu/target-i386/fpu_helper.c b/qemu/target-i386/fpu_helper.c index 70018740..80e48e35 100644 --- a/qemu/target-i386/fpu_helper.c +++ b/qemu/target-i386/fpu_helper.c @@ -999,7 +999,7 @@ void helper_fstenv(CPUX86State *env, target_ulong ptr, int data32) /* zero */ fptag |= 1; } else if (exp == 0 || exp == MAXEXPD - || (mant & (1LL << 63)) == 0) { + || (mant & (1ULL << 63)) == 0) { /* NaNs, infinity, denormal */ fptag |= 2; } diff --git a/qemu/target-i386/ops_sse.h b/qemu/target-i386/ops_sse.h index 09c21462..3d5ef570 100644 --- a/qemu/target-i386/ops_sse.h +++ b/qemu/target-i386/ops_sse.h @@ -874,7 +874,7 @@ static inline uint64_t helper_insertq(uint64_t src, int shift, int len) if (len == 0) { mask = ~0ULL; } else { - mask = (1ULL << len) - 1; + mask = (1ULL << (len & 0x3f)) - 1; } return (src & ~(mask << shift)) | ((src & mask) << shift); } diff --git a/qemu/target-i386/translate.c b/qemu/target-i386/translate.c index a68282ad..0370f9b7 100644 --- a/qemu/target-i386/translate.c +++ b/qemu/target-i386/translate.c @@ -1014,7 +1014,7 @@ static CCPrepare gen_prepare_eflags_c(DisasContext *s, TCGv reg) /* (CC_SRC >> (DATA_BITS - 1)) & 1 */ size = s->cc_op - CC_OP_SHLB; shift = (8 << size) - 1; - return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, (target_ulong)(1 << shift), false, false); + return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, (target_ulong)(1U << shift), false, false); case CC_OP_MULB: case CC_OP_MULW: case CC_OP_MULL: case CC_OP_MULQ: return ccprepare_make(TCG_COND_NE, cpu_cc_src, 0, 0, -1, false, false); diff --git a/qemu/target-m68k/helper.c b/qemu/target-m68k/helper.c index 6e3efc10..c685e7e0 100644 --- a/qemu/target-m68k/helper.c +++ b/qemu/target-m68k/helper.c @@ -510,7 +510,7 @@ uint64_t HELPER(macmuls)(CPUM68KState *env, uint32_t op1, uint32_t op2) int64_t res; product = (uint64_t)op1 * op2; - res = (product << 24) >> 24; + res = ((int64_t)(((uint64_t)product) << 24)) >> 24; if (res != product) { env->macsr |= MACSR_V; if (env->macsr & MACSR_OMC) { @@ -565,7 +565,7 @@ void HELPER(macsats)(CPUM68KState *env, uint32_t acc) int64_t tmp; int64_t result; tmp = env->macc[acc]; - result = ((tmp << 16) >> 16); + result = ((int64_t)((uint64_t)tmp << 16) >> 16); if (result != tmp) { env->macsr |= MACSR_V; } @@ -746,12 +746,12 @@ void HELPER(set_mac_extf)(CPUM68KState *env, uint32_t val, uint32_t acc) int32_t tmp; res = env->macc[acc] & 0xffffffff00ull; tmp = (int16_t)(val & 0xff00); - res |= ((int64_t)tmp) << 32; + res |= ((uint64_t)((int64_t)tmp)) << 32; res |= val & 0xff; env->macc[acc] = res; res = env->macc[acc + 1] & 0xffffffff00ull; tmp = (val & 0xff000000); - res |= ((int64_t)tmp) << 16; + res |= ((uint64_t)((int64_t)tmp)) << 16; res |= (val >> 16) & 0xff; env->macc[acc + 1] = res; } diff --git a/qemu/target-mips/cpu.h b/qemu/target-mips/cpu.h index 1c192cef..819b9447 100644 --- a/qemu/target-mips/cpu.h +++ b/qemu/target-mips/cpu.h @@ -113,8 +113,8 @@ struct CPUMIPSFPUContext { #define FCR0_REV 0 /* fcsr */ uint32_t fcr31; -#define SET_FP_COND(num,env) do { ((env).fcr31) |= ((num) ? (1 << ((num) + 24)) : (1 << 23)); } while(0) -#define CLEAR_FP_COND(num,env) do { ((env).fcr31) &= ~((num) ? (1 << ((num) + 24)) : (1 << 23)); } while(0) +#define SET_FP_COND(num,env) do { ((env).fcr31) |= ((num) ? ((int)(1U << ((num) + 24))) : (1 << 23)); } while(0) +#define CLEAR_FP_COND(num,env) do { ((env).fcr31) &= ~((num) ? ((int)(1U << ((num) + 24))) : (1 << 23)); } while(0) #define GET_FP_COND(env) ((((env).fcr31 >> 24) & 0xfe) | (((env).fcr31 >> 23) & 0x1)) #define GET_FP_CAUSE(reg) (((reg) >> 12) & 0x3f) #define GET_FP_ENABLE(reg) (((reg) >> 7) & 0x1f) diff --git a/qemu/target-mips/op_helper.c b/qemu/target-mips/op_helper.c index c1c0b293..0855d8a3 100644 --- a/qemu/target-mips/op_helper.c +++ b/qemu/target-mips/op_helper.c @@ -1301,7 +1301,7 @@ void helper_mtc0_pagemask(CPUMIPSState *env, target_ulong arg1) (mask == 0x0000 || mask == 0x0003 || mask == 0x000F || mask == 0x003F || mask == 0x00FF || mask == 0x03FF || mask == 0x0FFF || mask == 0x3FFF || mask == 0xFFFF)) { - env->CP0_PageMask = arg1 & (0x1FFFFFFF & (TARGET_PAGE_MASK << 1)); + env->CP0_PageMask = arg1 & (0x1FFFFFFF & (((unsigned int)TARGET_PAGE_MASK) << 1)); } } @@ -1375,7 +1375,7 @@ void helper_mtc0_count(CPUMIPSState *env, target_ulong arg1) void helper_mtc0_entryhi(CPUMIPSState *env, target_ulong arg1) { target_ulong old, val, mask; - mask = (TARGET_PAGE_MASK << 1) | 0xFF; + mask = (((unsigned int)TARGET_PAGE_MASK) << 1) | 0xFF; if (((env->CP0_Config4 >> CP0C4_IE) & 0x3) >= 2) { mask |= 1 << CP0EnHi_EHINV; } @@ -1911,7 +1911,7 @@ static void r4k_fill_tlb(CPUMIPSState *env, int idx) return; } tlb->EHINV = 0; - tlb->VPN = env->CP0_EntryHi & (TARGET_PAGE_MASK << 1); + tlb->VPN = env->CP0_EntryHi & (((unsigned int)TARGET_PAGE_MASK) << 1); #if defined(TARGET_MIPS64) tlb->VPN &= env->SEGMask; #endif @@ -1967,7 +1967,7 @@ void r4k_helper_tlbwi(CPUMIPSState *env) idx = (env->CP0_Index & ~0x80000000) % env->tlb->nb_tlb; tlb = &env->tlb->mmu.r4k.tlb[idx]; - VPN = env->CP0_EntryHi & (TARGET_PAGE_MASK << 1); + VPN = env->CP0_EntryHi & (((unsigned int)TARGET_PAGE_MASK) << 1); #if defined(TARGET_MIPS64) VPN &= env->SEGMask; #endif @@ -2011,7 +2011,7 @@ void r4k_helper_tlbp(CPUMIPSState *env) for (i = 0; i < env->tlb->nb_tlb; i++) { tlb = &env->tlb->mmu.r4k.tlb[i]; /* 1k pages are not supported. */ - mask = tlb->PageMask | ~(TARGET_PAGE_MASK << 1); + mask = tlb->PageMask | ~(((unsigned int)TARGET_PAGE_MASK) << 1); tag = env->CP0_EntryHi & ~mask; VPN = tlb->VPN & ~mask; #if defined(TARGET_MIPS64) @@ -2029,7 +2029,7 @@ void r4k_helper_tlbp(CPUMIPSState *env) for (i = env->tlb->nb_tlb; i < env->tlb->tlb_in_use; i++) { tlb = &env->tlb->mmu.r4k.tlb[i]; /* 1k pages are not supported. */ - mask = tlb->PageMask | ~(TARGET_PAGE_MASK << 1); + mask = tlb->PageMask | ~(((unsigned int)TARGET_PAGE_MASK) << 1); tag = env->CP0_EntryHi & ~mask; VPN = tlb->VPN & ~mask; #if defined(TARGET_MIPS64) diff --git a/qemu/target-mips/translate.c b/qemu/target-mips/translate.c index 5b1022bc..c9d5aa98 100644 --- a/qemu/target-mips/translate.c +++ b/qemu/target-mips/translate.c @@ -11157,7 +11157,7 @@ static int decode_extended_mips16_opc (CPUMIPSState *env, DisasContext *ctx) gen_addiupc(ctx, rx, imm, 0, 1); break; case M16_OPC_B: - gen_compute_branch(ctx, OPC_BEQ, 4, 0, 0, offset << 1, 0); + gen_compute_branch(ctx, OPC_BEQ, 4, 0, 0, (uint16_t)offset << 1, 0); /* No delay slot, so just process as a normal instruction */ break; case M16_OPC_BEQZ: @@ -15331,7 +15331,7 @@ static void gen_mipsdsp_bitinsn(DisasContext *ctx, uint32_t op1, uint32_t op2, imm = (ctx->opcode >> 16) & 0x03FF; imm = (int16_t)(imm << 6) >> 6; tcg_gen_movi_tl(tcg_ctx, *cpu_gpr[ret], \ - (target_long)((int32_t)imm << 16 | \ + (target_long)((int32_t)((uint32_t)imm << 16) | \ (uint16_t)imm)); } break;