Fix incorrect implementation of AESKEYGENASSIST in the case where

the two registers are the same.  Fixes #341698.

git-svn-id: svn://svn.valgrind.org/vex/trunk@3036

diff --git a/VEX/priv/guest_amd64_helpers.c b/VEX/priv/guest_amd64_helpers.c
index ddcccafd5ecdcbaed68f4367daae0a5639464ce4..629e11a2b1bdfc0558a839fa0928a458e93eef7f 100644 (file)
--- a/VEX/priv/guest_amd64_helpers.c
+++ b/VEX/priv/guest_amd64_helpers.c
@@ -3845,10 +3845,19 @@ extern void amd64g_dirtyhelper_AESKEYGENASSIST (
    V128* argL = (V128*)( ((UChar*)gst) + gstOffL );
    V128* argR = (V128*)( ((UChar*)gst) + gstOffR );
 
-   argR->w32[3] = RotWord (SubWord (argL->w32[3])) ^ imm8;
-   argR->w32[2] = SubWord (argL->w32[3]);
-   argR->w32[1] = RotWord (SubWord (argL->w32[1])) ^ imm8;
-   argR->w32[0] = SubWord (argL->w32[1]);
+   // We have to create the result in a temporary in the
+   // case where the src and dst regs are the same.  See #341698.
+   V128 tmp;
+
+   tmp.w32[3] = RotWord (SubWord (argL->w32[3])) ^ imm8;
+   tmp.w32[2] = SubWord (argL->w32[3]);
+   tmp.w32[1] = RotWord (SubWord (argL->w32[1])) ^ imm8;
+   tmp.w32[0] = SubWord (argL->w32[1]);
+
+   argR->w32[3] = tmp.w32[3];
+   argR->w32[2] = tmp.w32[2];
+   argR->w32[1] = tmp.w32[1];
+   argR->w32[0] = tmp.w32[0];
 }