4586 – printf crashes on some 'long double' values

Bug 4586 - printf crashes on some 'long double' values

Summary: printf crashes on some 'long double' values

Status:	RESOLVED DUPLICATE of bug 26649

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.3.6

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-06-02 23:29 UTC by Bruno Haible
Modified:	2023-07-25 14:07 UTC (History)
CC List:	4 users (show)

See Also:	CVE-2020-10029 CVE-2020-29573
Host:	ia64-unknown-linux-gnu
Target:	ia64-unknown-linux-gnu
Build:	ia64-unknown-linux-gnu
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bruno Haible 2007-06-02 23:29:12 UTC

This program crashes inside printf of a pseudo-zero 'long double' number.

============================== ia64nan.c ================================
#include <float.h>
#include <math.h>
#include <stdio.h>
union u { unsigned int word[4]; long double value; };
#define X x.value

void test (const char *label, union u x)
{
  printf ("%s:\n", label);
  printf ("isnanl: %d %d %d\n", isnanl(X) != 0, !(X == X), !(X >= 0 || X <= 0));
  printf ("isinfl: %d %d\n", isinfl(X) != 0, X + X == X && !(X == 0));
  printf ("printf: %Le %Lg\n", X, X);
  printf ("printf normalized: %Lg\n", X * 1.0L);
  printf ("\n");
}

int main ()
{
  {
    union u x = { { 0x00000000, 0x63333333, 0x00008000, 0x00000000 } };
    test ("unnormalized number", x);
  }

  {
    union u x = { { 0x00000000, 0xC3333333, 0x0000FFFF, 0x00000000 } };
    test ("QNaN", x);
  }

  {
    union u x = { { 0x00000000, 0x83333333, 0x0000FFFF, 0x00000000 } };
    test ("SNaN", x);
  }

  {
    union u x = { { 0x00000000, 0x80000000, 0x0000FFFF, 0x00000000 } };
    test ("Inf", x);
  }

  {
    union u x = { { 0x00000000, 0x40000001, 0x0000ffff, 0x00000000 } };
    test ("Pseudo-NaN", x);
  }

  {
    union u x = { { 0x00000000, 0x00000000, 0x0000ffff, 0x00000000 } };
    test ("Pseudo-Inf", x);
  }

  {
    union u x = { { 0x00000000, 0x00000000, 0x00008004, 0x00000000 } };
    test ("Pseudo-Zero", x);
  }

  return 0;
}
=========================================================================

$ gcc -O -fno-builtin -Wall ia64nan.c
$ ./a.out 
unnormalized number:
isnanl: 0 0 0
isinfl: 0 0
printf: -2.605630e-4932 -2.60563e-4932
printf normalized: -2.60563e-4932

QNaN:
isnanl: 1 1 1
isinfl: 0 0
printf: nan nan
printf normalized: nan

SNaN:
isnanl: 1 1 1
isinfl: 0 0
printf: nan nan
printf normalized: nan

Inf:
isnanl: 0 0 0
isinfl: 1 1
printf: -inf -inf
printf normalized: -inf

Pseudo-NaN:
isnanl: 0 1 1
isinfl: 0 0
printf: -5.948657e+4931 -5.94866e+4931
printf normalized: -5.94866e+4931

Pseudo-Inf:
isnanl: 0 1 1
isinfl: 0 0
printf: -0.000000e+4912 -0e+4912
printf normalized: -0e+4912

Pseudo-Zero:
isnanl: 0 0 0
isinfl: 0 0
Segmentation fault


According to
   Intel IA-64 Architecture Software Developer's Manual, Volume 1:
   Application Architecture.
   5.1.3 "Representation of Values in Floating-Point Registers"
   Table 5-2 "Floating-Point Register Encodings"
   Figure 5-11 "Floating-Point Exception Fault Prioritization"

pseudo-NaNs, pseudo-Infs, pseudo-zeroes "are never produced as a result
of an arithmetic operation", i.e. they may be considered to live outside
the IRRR 754 range of numbers. But it would be nice if printf would not
crash here, because
  1) printf is often used for debugging. This is also the reason why
     printf("%s", NULL) prints "(null)" instead of crashing.
  2) Arithmetic operations on pseudo-NaNs, pseudo-Infs, pseudo-zeroes
     don't cause program crashes, if operations on "signalling NaNs"
     don't cause program crashes (see Figure 5-11, cited above); this
     is the default behaviour, as you can see from the program's output.

Additionally, the printf results for pseudo-NaN and pseudo-Inf should better
be "nan", because these numbers behave like NaNs in comparisons, as you can
see from the program's output.

For comparison: On FreeBSD/ia64, printf of pseudo-NaN, pseudo-Inf, pseudo-zero
yields "nan", "[-]inf", "[-]0" respectively.

Comment 1 Andreas Schwab 2007-06-03 09:37:42 UTC

Trap representations invoke undefined behaviour.

Comment 2 Sourceware Commits 2007-07-07 19:59:20 UTC

Subject: Bug 4586

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	fedora-branch
Changes by:	jakub@sourceware.org	2007-07-07 19:59:10

Modified files:
	.              : ChangeLog 
	sysdeps/i386   : ldbl2mpn.c 

Log message:
	[BZ #4586]
	* sysdeps/i386/ldbl2mpn.c (__mpn_extract_long_double): Treat
	pseudo-zeros as zero.
	* sysdeps/x86_64/ldbl2mpn.c: New file.
	* sysdeps/ia64/ldbl2mpn.c: New file.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=fedora-branch&r1=1.8782.2.256&r2=1.8782.2.257
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/i386/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=fedora-branch&r1=1.4&r2=1.4.4.1

Comment 3 Sourceware Commits 2007-07-07 20:00:09 UTC

Subject: Bug 4586

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	fedora-branch
Changes by:	jakub@sourceware.org	2007-07-07 19:59:56

Added files:
	sysdeps/ia64   : ldbl2mpn.c 
	sysdeps/x86_64 : ldbl2mpn.c 

Log message:
	[BZ #4586]
	* sysdeps/i386/ldbl2mpn.c (__mpn_extract_long_double): Treat
	pseudo-zeros as zero.
	* sysdeps/x86_64/ldbl2mpn.c: New file.
	* sysdeps/ia64/ldbl2mpn.c: New file.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ia64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=fedora-branch&r1=NONE&r2=1.1.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=fedora-branch&r1=NONE&r2=1.1.2.1

Comment 4 Sourceware Commits 2007-07-12 13:30:44 UTC

Subject: Bug 4586

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_6-branch
Changes by:	jakub@sourceware.org	2007-07-12 13:29:44

Modified files:
	.              : ChangeLog 
	dlfcn          : dlinfo.c 
	elf            : dl-addr.c dl-close.c dl-iteratephdr.c dl-load.c 
	                 dl-lookup.c dl-minimal.c dl-object.c dl-open.c 
	                 dl-runtime.c dl-support.c dl-sym.c dl-sysdep.c 
	                 do-lookup.h rtld.c 
	include        : link.h 
	malloc         : Makefile arena.c hooks.c malloc.c mcheck.c 
	math           : test-misc.c 
	nis            : nss-default.c 
	nptl           : ChangeLog Makefile allocatestack.c descr.h 
	                 init.c pthreadP.h pthread_getattr_np.c 
	                 pthread_mutex_lock.c pthread_mutex_timedlock.c 
	                 pthread_mutex_trylock.c 
	nptl/sysdeps/alpha: tls.h 
	nptl/sysdeps/i386: tls.h 
	nptl/sysdeps/ia64: tls.h 
	nptl/sysdeps/powerpc: tls.h 
	nptl/sysdeps/s390: tls.h 
	nptl/sysdeps/sh: tls.h 
	nptl/sysdeps/sparc: tls.h 
	nptl/sysdeps/unix/sysv/linux/i386/i486: sem_timedwait.S 
	nptl/sysdeps/unix/sysv/linux/x86_64: sem_timedwait.S 
	nptl/sysdeps/x86_64: tls.h 
	nscd           : nscd_helper.c 
	rt             : tst-shm.c 
	stdio-common   : Makefile tst-sprintf.c vfprintf.c vfscanf.c 
	sysdeps/generic: ldsodefs.h 
	sysdeps/i386   : ldbl2mpn.c 
	sysdeps/ieee754/ldbl-128ibm: mpn2ldbl.c printf_fphex.c 
	                             s_fpclassifyl.c s_nextafterl.c 
	sysdeps/unix/sysv/linux: Makefile syscalls.list 
	sysdeps/unix/sysv/linux/i386: sync_file_range.S 
	sysdeps/unix/sysv/linux/x86_64: sysconf.c 
	sysdeps/unix/sysv/linux/x86_64/sys: epoll.h 
	sysdeps/x86_64 : Makefile memcpy.S mempcpy.S 
Added files:
	nptl           : tst-robust9.c tst-robustpi9.c tst-sem10.c 
	stdio-common   : bug18.c bug18a.c bug19.c bug19a.c 
	                 tst-sprintf2.c 
	sysdeps/ia64   : ldbl2mpn.c 
	sysdeps/unix/sysv/linux: epoll_pwait.c 
	sysdeps/unix/sysv/linux/i386: epoll_pwait.S 
	sysdeps/x86_64 : cacheinfo.c ldbl2mpn.c 
	sysdeps/x86_64/fpu: k_cosl.c k_rem_pio2l.c k_sinl.c k_tanl.c 

Log message:
	[BZ #4745]
	[BZ #4586]
	[BZ #4702]
	[BZ #4525]
	[BZ #4514]
	[BZ #4512]
	Merge selected bugfixes from the trunk.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.10640&r2=1.10640.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/dlfcn/dlinfo.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.7&r2=1.7.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-addr.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.33&r2=1.33.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-close.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.126&r2=1.126.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-iteratephdr.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.14&r2=1.14.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-load.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.284&r2=1.284.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-lookup.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.126&r2=1.126.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-minimal.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.53&r2=1.53.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-object.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.43&r2=1.43.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-open.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.139&r2=1.139.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-runtime.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.75&r2=1.75.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-support.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.92&r2=1.92.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-sym.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.34&r2=1.34.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-sysdep.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.2&r2=1.2.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/do-lookup.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.36&r2=1.36.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/rtld.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.370&r2=1.370.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/include/link.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.44&r2=1.44.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.54&r2=1.54.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/arena.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.27&r2=1.27.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/hooks.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.21&r2=1.21.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/malloc.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.178&r2=1.178.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/mcheck.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.18&r2=1.18.10.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/math/test-misc.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.23&r2=1.23.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nis/nss-default.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.3&r2=1.3.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/tst-robust9.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.2.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/tst-robustpi9.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/tst-sem10.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.970&r2=1.970.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.188&r2=1.188.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/allocatestack.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.65&r2=1.65.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/descr.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.39&r2=1.39.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/init.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.60&r2=1.60.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/pthreadP.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.64&r2=1.64.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/pthread_getattr_np.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.12&r2=1.12.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/pthread_mutex_lock.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.15&r2=1.15.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/pthread_mutex_timedlock.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.11&r2=1.11.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/pthread_mutex_trylock.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.13&r2=1.13.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/alpha/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.7&r2=1.7.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/i386/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.33&r2=1.33.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/ia64/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.12&r2=1.12.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/powerpc/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.12&r2=1.12.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/s390/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.15&r2=1.15.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/sh/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.11&r2=1.11.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/sparc/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.8&r2=1.8.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/unix/sysv/linux/i386/i486/sem_timedwait.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.8&r2=1.8.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/unix/sysv/linux/x86_64/sem_timedwait.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.11&r2=1.11.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nptl/sysdeps/x86_64/tls.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.28&r2=1.28.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/nscd/nscd_helper.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.22&r2=1.22.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/rt/tst-shm.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.5&r2=1.5.12.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/bug18.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.2.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/bug18a.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/bug19.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/bug19a.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/tst-sprintf2.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.2.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.100&r2=1.100.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/tst-sprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.3&r2=1.3.12.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/vfprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.139&r2=1.139.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/vfscanf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.123&r2=1.123.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/generic/ldsodefs.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.134&r2=1.134.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/i386/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.4&r2=1.4.14.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ia64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ieee754/ldbl-128ibm/mpn2ldbl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.1&r2=1.1.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ieee754/ldbl-128ibm/printf_fphex.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.1&r2=1.1.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ieee754/ldbl-128ibm/s_fpclassifyl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.1&r2=1.1.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ieee754/ldbl-128ibm/s_nextafterl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.2&r2=1.2.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/epoll_pwait.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.151&r2=1.151.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/syscalls.list.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.130&r2=1.130.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/i386/epoll_pwait.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.2.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/i386/sync_file_range.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.1&r2=1.1.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/x86_64/sysconf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.7&r2=1.7.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/unix/sysv/linux/x86_64/sys/epoll.h.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.3&r2=1.3.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/cacheinfo.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.3.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.4&r2=1.4.12.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/memcpy.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.5&r2=1.5.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/mempcpy.S.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=1.3&r2=1.3.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/fpu/k_cosl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/fpu/k_rem_pio2l.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/fpu/k_sinl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/fpu/k_tanl.c.diff?cvsroot=glibc&only_with_tag=glibc-2_6-branch&r1=NONE&r2=1.1.4.1

Comment 5 Sourceware Commits 2007-07-12 15:30:18 UTC

Subject: Bug 4586

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_5-branch
Changes by:	jakub@sourceware.org	2007-07-12 15:30:07

Modified files:
	.              : ChangeLog 
	sysdeps/i386   : ldbl2mpn.c 
Added files:
	sysdeps/ia64   : ldbl2mpn.c 
	sysdeps/x86_64 : ldbl2mpn.c 

Log message:
	2007-06-06  Jakub Jelinek  <jakub@redhat.com>
	
	[BZ #4586]
	* sysdeps/i386/ldbl2mpn.c (__mpn_extract_long_double): Treat
	pseudo-zeros as zero.
	* sysdeps/x86_64/ldbl2mpn.c: New file.
	* sysdeps/ia64/ldbl2mpn.c: New file.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10362.2.89&r2=1.10362.2.90
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/i386/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.4&r2=1.4.10.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/ia64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=NONE&r2=1.1.6.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/sysdeps/x86_64/ldbl2mpn.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=NONE&r2=1.1.6.1

Comment 6 Sourceware Commits 2020-02-12 23:32:53 UTC

The master branch has been updated by Joseph Myers <jsm28@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9333498794cde1d5cca518badf79533a24114b6f

commit 9333498794cde1d5cca518badf79533a24114b6f
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Wed Feb 12 23:31:56 2020 +0000

    Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487).
    
    Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
    argument (an representation where all the significand bits, including
    the explicit high bit, are zero, but the exponent is not zero, which
    is not a valid representation for the long double type).
    
    Although this is not a valid long double representation, existing
    practice in this area (see bug 4586, originally marked invalid but
    subsequently fixed) is that we still seek to avoid invalid memory
    accesses as a result, in case of programs that treat arbitrary binary
    data as long double representations, although the invalid
    representations of the ldbl-96 format do not need to be consistently
    handled the same as any particular valid representation.
    
    This patch makes the range reduction detect pseudo-zero and unnormal
    representations that would otherwise go to __kernel_rem_pio2, and
    returns a NaN for them instead of continuing with the range reduction
    process.  (Pseudo-zero and unnormal representations whose unbiased
    exponent is less than -1 have already been safely returned from the
    function before this point without going through the rest of range
    reduction.)  Pseudo-zero representations would previously result in
    the value passed to __kernel_rem_pio2 being all-zero, which is
    definitely unsafe; unnormal representations would previously result in
    a value passed whose high bit is zero, which might well be unsafe
    since that is not a form of input expected by __kernel_rem_pio2.
    
    Tested for x86_64.

Comment 7 Sourceware Commits 2020-03-16 16:54:54 UTC

The release/2.29/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0474cd5de60448f31d7b872805257092faa626e4

commit 0474cd5de60448f31d7b872805257092faa626e4
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Wed Feb 12 23:31:56 2020 +0000

    Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487).
    
    Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
    argument (an representation where all the significand bits, including
    the explicit high bit, are zero, but the exponent is not zero, which
    is not a valid representation for the long double type).
    
    Although this is not a valid long double representation, existing
    practice in this area (see bug 4586, originally marked invalid but
    subsequently fixed) is that we still seek to avoid invalid memory
    accesses as a result, in case of programs that treat arbitrary binary
    data as long double representations, although the invalid
    representations of the ldbl-96 format do not need to be consistently
    handled the same as any particular valid representation.
    
    This patch makes the range reduction detect pseudo-zero and unnormal
    representations that would otherwise go to __kernel_rem_pio2, and
    returns a NaN for them instead of continuing with the range reduction
    process.  (Pseudo-zero and unnormal representations whose unbiased
    exponent is less than -1 have already been safely returned from the
    function before this point without going through the rest of range
    reduction.)  Pseudo-zero representations would previously result in
    the value passed to __kernel_rem_pio2 being all-zero, which is
    definitely unsafe; unnormal representations would previously result in
    a value passed whose high bit is zero, which might well be unsafe
    since that is not a form of input expected by __kernel_rem_pio2.
    
    Tested for x86_64.
    
    (cherry picked from commit 9333498794cde1d5cca518badf79533a24114b6f)

Comment 8 Sourceware Commits 2021-09-21 00:53:32 UTC

The release/2.27/master branch has been updated by Dmitry Levin <ldv@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=59420258afaf73dc8fab63ce186bac792613fe08

commit 59420258afaf73dc8fab63ce186bac792613fe08
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Wed Feb 12 23:31:56 2020 +0000

    Avoid ldbl-96 stack corruption from range reduction of pseudo-zero (bug 25487).
    
    Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
    argument (an representation where all the significand bits, including
    the explicit high bit, are zero, but the exponent is not zero, which
    is not a valid representation for the long double type).
    
    Although this is not a valid long double representation, existing
    practice in this area (see bug 4586, originally marked invalid but
    subsequently fixed) is that we still seek to avoid invalid memory
    accesses as a result, in case of programs that treat arbitrary binary
    data as long double representations, although the invalid
    representations of the ldbl-96 format do not need to be consistently
    handled the same as any particular valid representation.
    
    This patch makes the range reduction detect pseudo-zero and unnormal
    representations that would otherwise go to __kernel_rem_pio2, and
    returns a NaN for them instead of continuing with the range reduction
    process.  (Pseudo-zero and unnormal representations whose unbiased
    exponent is less than -1 have already been safely returned from the
    function before this point without going through the rest of range
    reduction.)  Pseudo-zero representations would previously result in
    the value passed to __kernel_rem_pio2 being all-zero, which is
    definitely unsafe; unnormal representations would previously result in
    a value passed whose high bit is zero, which might well be unsafe
    since that is not a form of input expected by __kernel_rem_pio2.
    
    Tested for x86_64.
    
    (cherry picked from commit 9333498794cde1d5cca518badf79533a24114b6f)

Comment 9 Carlos O'Donell 2023-07-25 13:26:53 UTC

This was fixed in 2020 with the work to handle pseudo-zero. Changing from RESOLVED INVALID to RESOLVED FIXED.

Comment 10 Siddhesh Poyarekar 2023-07-25 14:07:31 UTC

Adding the specific bug that tracked the printf fix.

*** This bug has been marked as a duplicate of bug 26649 ***