Orginal qemu commit hash:14d02cfbe4adaeebe7cb833a8cc71191352cf03b 

In function pcie_add_capability, an assert contains the 
"offset < offset + size" expression. 
Both variable offset and variable size are uint16_t, 
the comparison is always true due to type promotion. 
The next expression may be the same.

It might be like this:
Thread 1 "qemu-system-x86" hit Breakpoint 1, pcie_add_capability (
    dev=0x555557ce5f10, cap_id=1, cap_ver=2 '\002', offset=256, size=72)
    at ../hw/pci/pcie.c:930
930	{
(gdb) n
931	    assert(offset >= PCI_CONFIG_SPACE_SIZE);
(gdb) n
932	    assert(offset < offset + size);
(gdb) p offset
$1 = 256
(gdb) p offset < offset + size
$2 = 1
(gdb) set offset=65533
(gdb) p offset < offset + size
$3 = 1
(gdb) p offset < (uint16_t)(offset + size)
$4 = 0


Signed-off-by: Daniella Lee <daniellalee111@gmail.com>
---
 hw/pci/pcie.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index c5ed266337..d7d73a31e4 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -929,8 +929,8 @@ void pcie_add_capability(PCIDevice *dev,
                          uint16_t offset, uint16_t size)
 {
     assert(offset >= PCI_CONFIG_SPACE_SIZE);
-    assert(offset < offset + size);
-    assert(offset + size <= PCIE_CONFIG_SPACE_SIZE);
+    assert(offset < (uint16_t)(offset + size));
+    assert((uint16_t)(offset + size) <= PCIE_CONFIG_SPACE_SIZE);
     assert(size >= 8);
     assert(pci_is_express(dev));
 
-- 
2.27.0