This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v3] Fix potential access beyond array bounds in m1np
On 12/28/2012 03:59 PM, Siddhesh Poyarekar wrote:
On Fri, Dec 28, 2012 at 03:19:05PM +0100, Andreas Schwab wrote:
m remains uninitialized if p >= 18. The assignment should be moved out
of the condition anyway.
Thanks, here's v3:
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..6d07318 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -71,7 +71,14 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
+
+ m = m1 + m2;
+
+ /* m1np is used to determine if we could reduce the number of iterations of
+ the polynomial expansion. We only have data up to precision of 18 and
+ anything equal to or greater than that will result in an access beyond
+ array bounds. */
+ if (__glibc_unlikely (p < 18 && m <= 0)) {
I would rather have an assert (p < 18) here - or is there a specific
reason for not having it?
m=0; a=ONE;
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
}
Andreas
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126