hw/ssi/imx_spi: changed while statement to prevent underflow

The while statement in question only checked if tx_burst is not 0. tx_burst is a signed int, which is assigned the value put by the guest driver in ECSPI_CONREG. The burst length can be anywhere between 1 and 4096, and since tx_burst is always decremented by 8 it could possibly underflow, causing an infinite loop. Signed-off-by: Eden Mikitas <e.mikitas@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
qemu · Jun 5, 2020 · 9c49c83 · 9c49c83
1 parent 5d2f557
commit 9c49c83
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
@@ -182,7 +182,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
 
         rx = 0;
 
-        while (tx_burst) {
+        while (tx_burst > 0) {
             uint8_t byte = tx & 0xff;
 
             DPRINTF("writing 0x%02x\n", (uint32_t)byte);