From 5d8d0294238f471508c2929856b95b65530964ba Mon Sep 17 00:00:00 2001
Message-Id: <5d8d0294238f471508c2929856b95b65530964ba.1350312451.git.minovotn@redhat.com>
In-Reply-To: <aa2da19f266f7dd7345db5620ee362446fc6e806.1350312451.git.minovotn@redhat.com>
References: <aa2da19f266f7dd7345db5620ee362446fc6e806.1350312451.git.minovotn@redhat.com>
From: Alon Levy <alevy@redhat.com>
Date: Sun, 7 Oct 2012 15:31:46 +0200
Subject: [PATCH 09/27] qxl: Slot sanity check in qxl_phys2virt() is off by
 one, fix

RH-Author: Alon Levy <alevy@redhat.com>
Message-id: <1349623920-19894-3-git-send-email-alevy@redhat.com>
Patchwork-id: 42777
O-Subject: [PATCH RHEL-6.4 v2 02/16] qxl: Slot sanity check in qxl_phys2virt() is off by one, fix
Bugzilla: 770842
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Arnon Gilboa <agilboa@redhat.com>

From: Markus Armbruster <armbru@redhat.com>

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Upstream: 6b7332eb4013fec6ad294115ab889d77d4463624
---
 hw/qxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/qxl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 5bcddc2..aef3486 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1160,7 +1160,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
     case MEMSLOT_GROUP_HOST:
         return (void*)offset;
     case MEMSLOT_GROUP_GUEST:
-        PANIC_ON(slot > NUM_MEMSLOTS);
+        PANIC_ON(slot >= NUM_MEMSLOTS);
         PANIC_ON(!qxl->guest_slots[slot].active);
         PANIC_ON(offset < qxl->guest_slots[slot].delta);
         offset -= qxl->guest_slots[slot].delta;
-- 
1.7.11.7