x86/hvm: Fix boundary check in hvmemul_insn_fetch()

c/s 0943a03037 added some extra protection for overflowing the emulation
instruction cache, but Coverity points out that boundary condition is off by
one when memcpy()'ing out of the buffer.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>

diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index 99fc4ca34be235e23885919e4e163322006a03ff..087425f8359f87a2f65e2a129e4d2932cceca712 100644 (file)
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -958,8 +958,8 @@ int hvmemul_insn_fetch(
              * Will we overflow insn_buf[]?  This shouldn't be able to happen,
              * which means something went wrong with instruction decoding...
              */
-            if ( insn_off > sizeof(hvmemul_ctxt->insn_buf) ||
-                 (insn_off + bytes) > sizeof(hvmemul_ctxt->insn_buf) )
+            if ( insn_off >= sizeof(hvmemul_ctxt->insn_buf) ||
+                 (insn_off + bytes) >= sizeof(hvmemul_ctxt->insn_buf) )
             {
                 ASSERT_UNREACHABLE();
                 return X86EMUL_UNHANDLEABLE;