target/mips/mxu: Avoid overrun in gen_mxu_S32SLT()

Coverity reports a potential overrun (CID 1517769): Overrunning array "mxu_gpr" of 15 8-byte elements at element index 4294967295 (byte offset 34359738367) using index "XRb - 1U" (which evaluates to 4294967295). Use gen_load_mxu_gpr() to safely load MXU registers. Fixes: ff7936f ("target/mips/mxu: Add S32SLT ... insns") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230712060806.82323-3-philmd@linaro.org>
qemu · Jul 25, 2023 · e37fdc7 · e37fdc7
1 parent d4eda54
commit e37fdc7
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/target/mips/tcg/mxu_translate.c b/target/mips/tcg/mxu_translate.c
@@ -2434,8 +2434,12 @@ static void gen_mxu_S32SLT(DisasContext *ctx)
         tcg_gen_movi_tl(mxu_gpr[XRa - 1], 0);
     } else {
         /* the most general case */
-        tcg_gen_setcond_tl(TCG_COND_LT, mxu_gpr[XRa - 1],
-                           mxu_gpr[XRb - 1], mxu_gpr[XRc - 1]);
+        TCGv t0 = tcg_temp_new();
+        TCGv t1 = tcg_temp_new();
+
+        gen_load_mxu_gpr(t0, XRb);
+        gen_load_mxu_gpr(t1, XRc);
+        tcg_gen_setcond_tl(TCG_COND_LT, mxu_gpr[XRa - 1], t0, t1);
     }
 }