From a9f5cf5d2ff55abdd05a2ab6965d8b4ba190eac9 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 4 Feb 2014 13:03:48 +0100
Subject: Fix FPU state access

Found by coverity.

* i386/i386/fpu.c (fpu_set_state, fpu_get_state): Fix out of bound
`user_fp_regs' access.
---
 i386/i386/fpu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'i386')

diff --git a/i386/i386/fpu.c b/i386/i386/fpu.c
index fd5f4b6..62a4e67 100644
--- a/i386/i386/fpu.c
+++ b/i386/i386/fpu.c
@@ -374,7 +374,7 @@ ASSERT_IPL(SPL0);
 		ifps->xfp_save_state.fp_dp      = user_fp_state->fp_dp;
 		ifps->xfp_save_state.fp_ds      = user_fp_state->fp_ds;
 		for (i=0; i<8; i++)
-		    memcpy(&ifps->xfp_save_state.fp_reg_word[i], &user_fp_regs[i], sizeof(user_fp_regs[i]));
+		    memcpy(&ifps->xfp_save_state.fp_reg_word[i], &user_fp_regs->fp_reg_word[i], sizeof(user_fp_regs[i]));
 	    } else {
 		ifps->fp_save_state.fp_control = user_fp_state->fp_control;
 		ifps->fp_save_state.fp_status  = user_fp_state->fp_status;
@@ -467,7 +467,7 @@ ASSERT_IPL(SPL0);
 		user_fp_state->fp_dp      = ifps->xfp_save_state.fp_dp;
 		user_fp_state->fp_ds      = ifps->xfp_save_state.fp_ds;
 		for (i=0; i<8; i++)
-		    memcpy(&user_fp_regs[i], &ifps->xfp_save_state.fp_reg_word[i], sizeof(user_fp_regs[i]));
+		    memcpy(&user_fp_regs->fp_reg_word[i], &ifps->xfp_save_state.fp_reg_word[i], sizeof(user_fp_regs[i]));
 	    } else {
 		user_fp_state->fp_control = ifps->fp_save_state.fp_control;
 		user_fp_state->fp_status  = ifps->fp_save_state.fp_status;
-- 
cgit v1.2.3