hw/ssi/imx_spi: changed while statement to prevent underflow

The while statement in question only checked if tx_burst is not 0. tx_burst is a signed int, which is assigned the value put by the guest driver in ECSPI_CONREG. The burst length can be anywhere between 1 and 4096, and since tx_burst is always decremented by 8 it could possibly underflow, causing an infinite loop. Signed-off-by: Eden Mikitas <e.mikitas@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
author: Eden Mikitas <e.mikitas@gmail.com> 2020-06-02 13:44:34 +0100
committer: Peter Maydell <peter.maydell@linaro.org> 2020-06-05 17:23:08 +0100
commit: 9c49c83e4b23d31676633a1189faa6e70b489c01 (patch)
tree: a17da6b23e17d28065fa1b90a242ad7c393686e6 /hw/ssi
parent: 5d2f557b47dfbf8f23277a5bdd8473d4607c681a (diff)
download: qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.zip
qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.gz
qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 2dd9a63..6fef5c7 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -182,7 +182,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
 
         rx = 0;
 
-        while (tx_burst) {
+        while (tx_burst > 0) {
             uint8_t byte = tx & 0xff;
 
             DPRINTF("writing 0x%02x\n", (uint32_t)byte);
author	Eden Mikitas <e.mikitas@gmail.com>	2020-06-02 13:44:34 +0100
committer	Peter Maydell <peter.maydell@linaro.org>	2020-06-05 17:23:08 +0100
commit	9c49c83e4b23d31676633a1189faa6e70b489c01 (patch)
tree	a17da6b23e17d28065fa1b90a242ad7c393686e6 /hw/ssi
parent	5d2f557b47dfbf8f23277a5bdd8473d4607c681a (diff)
download	qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.zip qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.gz qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.bz2