target-i386: Fix addr16 prefix

While ADDSEG will only be false in 16-bit mode for LEA, it can be false even in other cases when 16-bit addresses are obtained via the 67h prefix in 32-bit mode. In this case, gen_lea_v_seg forgets to add a nonzero FS or GS base if CS/DS/ES/SS are all zero. This case is pretty rare but happens when booting Windows 95/98, and this patch fixes it. The bug is visible since commit d6a291498, but it was introduced together with gen_lea_v_seg and it probably could be reproduced with a "addr16 gs movsb" instruction as early as in commit ca2f29f555805d07fb0b9ebfbbfc4e3656530977. Backports commit e2e02a820741ec4d96b8f313b06a2a7ed5e94fbd from qemu
2025-02-02 05:30:59 +00:00 · 2018-02-21 21:21:02 -05:00 · 2018-02-21 21:21:02 -05:00 · 55c2a21fe8
parent 085a3c9aab
commit 55c2a21fe8
1 changed files with 7 additions and 7 deletions
--- a/qemu/target-i386/translate.c
+++ b/qemu/target-i386/translate.c
@ -556,15 +556,15 @@ static void gen_lea_v_seg(DisasContext *s, TCGMemOp aflag, TCGv a0,
        break;
    case MO_16:
        /* 16 bit address */
-        if (ovr_seg < 0) {
-            ovr_seg = def_seg;
-        }
        tcg_gen_ext16u_tl(tcg_ctx, cpu_A0, a0);
-        /* ADDSEG will only be false in 16-bit mode for LEA.  */
-        if (!s->addseg) {
-            return;
-        }
        a0 = cpu_A0;
+        if (ovr_seg < 0) {
+            if (s->addseg) {
+                ovr_seg = def_seg;
+            } else {
+                return;
+            }
+        }
        break;
    default:
        tcg_abort();