From 003d1c8bc8be6c45fc39eb1b886def17482ed3a5 Mon Sep 17 00:00:00 2001
From: Aaron Merey <amerey@redhat.com>
Date: Sun, 31 May 2026 21:54:53 -0400
Subject: [PATCH] riscv_disasm.c: Fix out-of-bounds reads

The riscv_disasm function reads instruction mnemonics from static
arrays based on the Control and Status Register (CSR) number encoded
in an instruction.  Two separate bounds checks performed before reading
from these arrays had incorrect upper bounds and allowed out-of-bounds
reads.

Fix two CSR bounds checks to prevent this. The affected CSR numbers that
are no longer included in the modified checks are now properly handled
in a generic CSR handler in the riscv_disasm function.

Signed-off-by: Aaron Merey <amerey@redhat.com>
---
 libcpu/riscv_disasm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libcpu/riscv_disasm.c b/libcpu/riscv_disasm.c
index 749d4567..38a9ab9f 100644
--- a/libcpu/riscv_disasm.c
+++ b/libcpu/riscv_disasm.c
@@ -1097,7 +1097,7 @@ riscv_disasm (Ebl *ebl,
 	      else if ((word & 0x3000) == 0x2000 && rs1 == 0)
 		{
 		  uint32_t csr = word >> 20;
-		  if (/* csr >= 0x000 && */ csr <= 0x007)
+		  if (/* csr >= 0x000 && */ csr <= 0x003)
 		    {
 		      static const char *const unprivrw[4] =
 			{
@@ -1105,7 +1105,7 @@ riscv_disasm (Ebl *ebl,
 			};
 		      mne = unprivrw[csr - 0x000];
 		    }
-		  else if (csr >= 0xc00 && csr <= 0xc03)
+		  else if (csr >= 0xc00 && csr <= 0xc02)
 		    {
 		      static const char *const unprivrolow[3] =
 			{
-- 
2.47.3