From 5a992b670bff697c40b513c9e037598ba35ca7d4 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 25 Jul 2017 19:48:43 +0100
Subject: [PATCH] x86/hvm: Fix boundary check in hvmemul_insn_fetch()

c/s 0943a03037 added some extra protection for overflowing the emulation
instruction cache, but Coverity points out that boundary condition is off by
one when memcpy()'ing out of the buffer.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
---
 xen/arch/x86/hvm/emulate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index 99fc4ca34b..087425f835 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -958,8 +958,8 @@ int hvmemul_insn_fetch(
              * Will we overflow insn_buf[]?  This shouldn't be able to happen,
              * which means something went wrong with instruction decoding...
              */
-            if ( insn_off > sizeof(hvmemul_ctxt->insn_buf) ||
-                 (insn_off + bytes) > sizeof(hvmemul_ctxt->insn_buf) )
+            if ( insn_off >= sizeof(hvmemul_ctxt->insn_buf) ||
+                 (insn_off + bytes) >= sizeof(hvmemul_ctxt->insn_buf) )
             {
                 ASSERT_UNREACHABLE();
                 return X86EMUL_UNHANDLEABLE;
-- 
2.39.5