Commit 78d66a25c5 for qemu.org

commit 78d66a25c54339b370d2062826c8a011012ab6c0
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Mon Nov 24 17:34:07 2025 +0000

    replay: Improve assert in replay_char_read_all_load()

    In replay_char_read_all_load() we get a buffer and size from the
    replay log.  We know the size has to fit an int because of how we
    write the log.  However the way we assert this is wrong: we cast the
    size_t from replay_get_array() to an int and then check that it is
    non-negative.  This misses cases where an over-large size is
    truncated into a positive value by the cast.

    Replace the assertion with checking that the size is in-range
    before doing the cast.

    Coverity complained about the possible overflow: CID 1643440.

    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Message-ID: <20251124173407.50124-1-peter.maydell@linaro.org>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/replay/replay-char.c b/replay/replay-char.c
index 81dc416e98..4e58dd154a 100644
--- a/replay/replay-char.c
+++ b/replay/replay-char.c
@@ -126,8 +126,8 @@ int replay_char_read_all_load(uint8_t *buf)
         int res;
         replay_get_array(buf, &size);
         replay_finish_event();
+        assert(size <= INT_MAX);
         res = (int)size;
-        assert(res >= 0);
         return res;
     } else if (replay_next_event_is(EVENT_CHAR_READ_ALL_ERROR)) {
         int res = replay_get_dword();