aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorEden Mikitas <e.mikitas@gmail.com>2020-06-02 13:44:34 +0100
committerPeter Maydell <peter.maydell@linaro.org>2020-06-05 17:23:08 +0100
commit9c49c83e4b23d31676633a1189faa6e70b489c01 (patch)
treea17da6b23e17d28065fa1b90a242ad7c393686e6 /hw
parent5d2f557b47dfbf8f23277a5bdd8473d4607c681a (diff)
downloadqemu-9c49c83e4b23d31676633a1189faa6e70b489c01.zip
qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.gz
qemu-9c49c83e4b23d31676633a1189faa6e70b489c01.tar.bz2
hw/ssi/imx_spi: changed while statement to prevent underflow
The while statement in question only checked if tx_burst is not 0. tx_burst is a signed int, which is assigned the value put by the guest driver in ECSPI_CONREG. The burst length can be anywhere between 1 and 4096, and since tx_burst is always decremented by 8 it could possibly underflow, causing an infinite loop. Signed-off-by: Eden Mikitas <e.mikitas@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
-rw-r--r--hw/ssi/imx_spi.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 2dd9a63..6fef5c7 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -182,7 +182,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
rx = 0;
- while (tx_burst) {
+ while (tx_burst > 0) {
uint8_t byte = tx & 0xff;
DPRINTF("writing 0x%02x\n", (uint32_t)byte);