diff options
| author | Paolo Bonzini | 2022-10-19 14:32:04 +0200 |
|---|---|---|
| committer | Paolo Bonzini | 2022-10-20 15:15:50 +0200 |
| commit | 0d4bcac3cac461798d810e6df54768d9613ea794 (patch) | |
| tree | 1e734cde13e49ae818345c7c7a64becebfc44f6f /target/i386 | |
| parent | Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (diff) | |
| download | qemu-0d4bcac3cac461798d810e6df54768d9613ea794.tar.gz qemu-0d4bcac3cac461798d810e6df54768d9613ea794.tar.xz qemu-0d4bcac3cac461798d810e6df54768d9613ea794.zip | |
target/i386: decode-new: avoid out-of-bounds access to xmm_regs[-1]
If the destination is a memory register, op->n is -1. Going through
tcg_gen_gvec_dup_imm path is both useless (the value has been stored
by the gen_* function already) and wrong because of the out-of-bounds
access.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'target/i386')
| -rw-r--r-- | target/i386/tcg/emit.c.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/target/i386/tcg/emit.c.inc b/target/i386/tcg/emit.c.inc index 27eca591a9..ebf299451d 100644 --- a/target/i386/tcg/emit.c.inc +++ b/target/i386/tcg/emit.c.inc @@ -296,7 +296,7 @@ static void gen_writeback(DisasContext *s, X86DecodedInsn *decode, int opn, TCGv case X86_OP_MMX: break; case X86_OP_SSE: - if ((s->prefix & PREFIX_VEX) && op->ot == MO_128) { + if (!op->has_ea && (s->prefix & PREFIX_VEX) && op->ot == MO_128) { tcg_gen_gvec_dup_imm(MO_64, offsetof(CPUX86State, xmm_regs[op->n].ZMM_X(1)), 16, 16, 0); |