This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix potential access beyond array bounds in m1np
- From: Andreas Jaeger <aj at suse dot com>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Fri, 28 Dec 2012 13:31:55 +0100
- Subject: Re: [PATCH] Fix potential access beyond array bounds in m1np
- References: <20121228120511.GC25030@spoyarek.pnq.redhat.com>
On 12/28/2012 01:05 PM, Siddhesh Poyarekar wrote:
Hi,
The mpexp code has an access into m1np:
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
which could break for p >= 18 or i >= 7. Fortunately this code is
never called due to the way the exp function is implemented since
values having exponent less than -55 return 1.0. Nevertheless this
patch puts in a check to ensure that it never happens. Verified that
this does not break the testsuite. OK to commit?
>
Siddhesh
* sysdeps/ieee754/dbl-64/mpexp.c (__mpexp): Limit m1np access
to within its bounds.
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..f15ae8a 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -71,7 +71,7 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
+ if (__glibc_unlikely (p < 18 && (m=m1+m2) <= 0)) {
So, what should happen for p >= 18? Shouldn't this be an assert?
An additional note: This would need a comment to state why it checks
against 18.
m=0; a=ONE;
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
}
Andreas
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126