This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v4] Fix potential access beyond array bounds in m1np
- From: Andreas Jaeger <aj at suse dot com>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>
- Cc: Andreas Schwab <schwab at linux-m68k dot org>, libc-alpha at sourceware dot org
- Date: Tue, 01 Jan 2013 14:34:31 +0100
- Subject: Re: [PATCH v4] Fix potential access beyond array bounds in m1np
- References: <20121228120511.GC25030@spoyarek.pnq.redhat.com> <50DD913B.9070908@suse.com> <20121228130043.GD25030@spoyarek.pnq.redhat.com> <m2y5giw97q.fsf@igel.home> <20121228145951.GH25030@spoyarek.pnq.redhat.com> <50DDD0BB.80503@suse.com> <20121229014333.GB3646@spoyarek.pnq.redhat.com>
On 12/29/2012 02:43 AM, Siddhesh Poyarekar wrote:
On Fri, Dec 28, 2012 at 06:02:51PM +0100, Andreas Jaeger wrote:
+ if (__glibc_unlikely (p < 18 && m <= 0)) {
I would rather have an assert (p < 18) here - or is there a specific
reason for not having it?
I was just being conservative; I don't mind an assert either if you
prefer that. Here's v4 then - I have cleaned up the code styling in
that block since the earlier 'style' is ugly.
This is fine, thanks,
Andreas
Siddhesh
* sysdeps/ieee754/dbl-64/mpexp.c (__mpexp): Add assert to
check access beyond bounds of m1np.
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..53e8b74 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -31,6 +31,7 @@
#include "endian.h"
#include "mpa.h"
#include "mpexp.h"
+#include <assert.h>
#ifndef SECTION
# define SECTION
@@ -71,10 +72,22 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
- m=0; a=ONE;
- for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
- }
+
+ m = m1 + m2;
+ if (__glibc_unlikely (m <= 0))
+ {
+ /* The m1np array which is used to determine if we can reduce the
+ polynomial expansion iterations, has only 18 elements. Besides,
+ numbers smaller than those required by p >= 18 should not come here
+ at all since the fast phase of exp returns 1.0 for anything less
+ than 2^-55. */
+ assert (p < 18);
+ m = 0;
+ a = ONE;
+ for (i = n - 1; i > 0; i--, n--)
+ if (m1np[i][p] + m2 > 0)
+ break;
+ }
/* Compute s=x*2**(-m). Put result in mps */
__dbl_mp(a,&mpt1,p);
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126