This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] Fix potential access beyond array bounds in m1np
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Fri, 28 Dec 2012 17:35:12 +0530
- Subject: [PATCH] Fix potential access beyond array bounds in m1np
Hi,
The mpexp code has an access into m1np:
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
which could break for p >= 18 or i >= 7. Fortunately this code is
never called due to the way the exp function is implemented since
values having exponent less than -55 return 1.0. Nevertheless this
patch puts in a check to ensure that it never happens. Verified that
this does not break the testsuite. OK to commit?
Siddhesh
* sysdeps/ieee754/dbl-64/mpexp.c (__mpexp): Limit m1np access
to within its bounds.
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..f15ae8a 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -71,7 +71,7 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
+ if (__glibc_unlikely (p < 18 && (m=m1+m2) <= 0)) {
m=0; a=ONE;
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
}