diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2016-03-02 16:04:38 +0100 |
---|---|---|
committer | Richard Henderson <rth@twiddle.net> | 2016-03-14 10:52:48 -0700 |
commit | e2e02a820741ec4d96b8f313b06a2a7ed5e94fbd (patch) | |
tree | 6e0df6c61fbf4b602e6bccc175830d95222c6319 | |
parent | a657f79e32422634415c09f3f15c73d610297af5 (diff) | |
download | qemu-e2e02a820741ec4d96b8f313b06a2a7ed5e94fbd.zip qemu-e2e02a820741ec4d96b8f313b06a2a7ed5e94fbd.tar.gz qemu-e2e02a820741ec4d96b8f313b06a2a7ed5e94fbd.tar.bz2 |
target-i386: Fix addr16 prefix
While ADDSEG will only be false in 16-bit mode for LEA, it can be
false even in other cases when 16-bit addresses are obtained via
the 67h prefix in 32-bit mode. In this case, gen_lea_v_seg forgets
to add a nonzero FS or GS base if CS/DS/ES/SS are all zero. This
case is pretty rare but happens when booting Windows 95/98, and
this patch fixes it.
The bug is visible since commit d6a291498, but it was introduced
together with gen_lea_v_seg and it probably could be reproduced
with a "addr16 gs movsb" instruction as early as in commit
ca2f29f555805d07fb0b9ebfbbfc4e3656530977.
Reported-by: Hervé Poussineau <hpoussin@reactos.org>
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1456931078-21635-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
-rw-r--r-- | target-i386/translate.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/target-i386/translate.c b/target-i386/translate.c index b73c237..0b67165 100644 --- a/target-i386/translate.c +++ b/target-i386/translate.c @@ -466,15 +466,15 @@ static void gen_lea_v_seg(DisasContext *s, TCGMemOp aflag, TCGv a0, break; case MO_16: /* 16 bit address */ - if (ovr_seg < 0) { - ovr_seg = def_seg; - } tcg_gen_ext16u_tl(cpu_A0, a0); - /* ADDSEG will only be false in 16-bit mode for LEA. */ - if (!s->addseg) { - return; - } a0 = cpu_A0; + if (ovr_seg < 0) { + if (s->addseg) { + ovr_seg = def_seg; + } else { + return; + } + } break; default: tcg_abort(); |