qemu-system-m68k -M q800 -bios /dev/null segfaults

This command line:

qemu-system-m68k -M q800 -bios /dev/null

crashes with a segfault in q800_init(). Backtrace from gdb:

Thread 1 "qemu-system-m68" received signal SIGSEGV, Segmentation fault.
q800_init (machine=<optimised out>) at ../../hw/m68k/q800.c:681
681                 stl_phys(cs->as, 0, ldl_p(ptr));    /* reset initial SP */
(gdb) bt
#0  q800_init (machine=<optimised out>) at ../../hw/m68k/q800.c:681
#1  0x000055555624e62a in machine_run_board_init (machine=<optimised out>)
    at ../../hw/core/machine.c:1181
#2  0x000055555642ee68 in qemu_init_board () at ../../softmmu/vl.c:2652
#3  qmp_x_exit_preconfig (errp=<optimised out>) at ../../softmmu/vl.c:2740
#4  0x0000555556433f24 in qemu_init (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>)
    at ../../softmmu/vl.c:3775
#5  0x000055555601ea76 in main (argc=1482693856, argv=0x100000, envp=0x0) at ../../softmmu/main.c:49

This happens because the code doesn't check that rom_ptr() returned a non-NULL pointer (which will happen if the BIOS image passed by the user is zero bytes). You can provoke the same segfault by creating a zero byte file and passing it to -bios.

More generally, there is a length check:

if (bios_size < 0 || bios_size > MACROM_SIZE)

but this is too loose -- the rom_ptr() call below requires that the BIOS blob is at least MACROM_SIZE bytes. We could make the condition test "bios_size != MACROM_SIZE", or change the rom_ptr() code.