From a7a5d187e77f7853755eff4768658daf8095c3b7 Mon Sep 17 00:00:00 2001
From: mio <mio@lazym.io>
Date: Fri, 30 Jun 2023 20:21:56 +0800
Subject: [PATCH] Backport
 https://github.com/qemu/qemu/commit/10b8eb94c0902b58d83df84a9eeae709a3480e82

target/i386: Verify memory operand for lcall and ljmp

These two opcodes only allow a memory operand.

Lacking the check for a register operand, we used the A0 temp

without initialization, which led to a tcg abort.
---
 qemu/target/i386/translate.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/qemu/target/i386/translate.c b/qemu/target/i386/translate.c
index 2cc88f23..fc06162e 100644
--- a/qemu/target/i386/translate.c
+++ b/qemu/target/i386/translate.c
@@ -5476,6 +5476,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             gen_jr(s, s->T0);
             break;
         case 3: /* lcall Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
             gen_op_ld_v(s, ot, s->T1, s->A0);
             gen_add_A0_im(s, 1 << ot);
             gen_op_ld_v(s, MO_16, s->T0, s->A0);
@@ -5503,6 +5506,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             gen_jr(s, s->T0);
             break;
         case 5: /* ljmp Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
             gen_op_ld_v(s, ot, s->T1, s->A0);
             gen_add_A0_im(s, 1 << ot);
             gen_op_ld_v(s, MO_16, s->T0, s->A0);