From f27f7ce25831dd6dba803b60592c04684738ab8b Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 22 Aug 2014 11:28:52 +0200
Subject: [PATCH] linux-user: Cast validity checks on g_posix_timers range

We check whether the passed in counter value is negative on all calls
that involve g_posix_timers. However, we also check check for negativity
of that value after casting it - at which point it couldn't possibly be
negative anymore.

Cast the check to int16_t. Maybe this is correct. Maybe the check should
get removed completely.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/syscall.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0b4668d..660095b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9602,7 +9602,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
         /* args: timer_t timerid, int flags, const struct itimerspec *new_value,
          * struct itimerspec * old_value */
         arg1 &= 0xffff;
-        if (arg3 == 0 || arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
+        if (arg3 == 0 || (int16_t)arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
             ret = -TARGET_EINVAL;
         } else {
             timer_t htimer = g_posix_timers[arg1];
@@ -9624,7 +9624,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
         arg1 &= 0xffff;
         if (!arg2) {
             return -TARGET_EFAULT;
-        } else if (arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
+        } else if ((int16_t)arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
             ret = -TARGET_EINVAL;
         } else {
             timer_t htimer = g_posix_timers[arg1];
@@ -9644,7 +9644,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
     {
         /* args: timer_t timerid */
         arg1 &= 0xffff;
-        if (arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
+        if ((int16_t)arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
             ret = -TARGET_EINVAL;
         } else {
             timer_t htimer = g_posix_timers[arg1];
@@ -9659,7 +9659,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
     {
         /* args: timer_t timerid */
         arg1 &= 0xffff;
-        if (arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
+        if ((int16_t)arg1 < 0 || arg1 >= ARRAY_SIZE(g_posix_timers)) {
             ret = -TARGET_EINVAL;
         } else {
             timer_t htimer = g_posix_timers[arg1];
-- 
2.7.4