This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH v4] Fix potential access beyond array bounds in m1np
On Fri, Dec 28, 2012 at 06:02:51PM +0100, Andreas Jaeger wrote:
> >+ if (__glibc_unlikely (p < 18 && m <= 0)) {
>
> I would rather have an assert (p < 18) here - or is there a specific
> reason for not having it?
>
I was just being conservative; I don't mind an assert either if you
prefer that. Here's v4 then - I have cleaned up the code styling in
that block since the earlier 'style' is ugly.
Siddhesh
* sysdeps/ieee754/dbl-64/mpexp.c (__mpexp): Add assert to
check access beyond bounds of m1np.
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..53e8b74 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -31,6 +31,7 @@
#include "endian.h"
#include "mpa.h"
#include "mpexp.h"
+#include <assert.h>
#ifndef SECTION
# define SECTION
@@ -71,10 +72,22 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
- m=0; a=ONE;
- for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
- }
+
+ m = m1 + m2;
+ if (__glibc_unlikely (m <= 0))
+ {
+ /* The m1np array which is used to determine if we can reduce the
+ polynomial expansion iterations, has only 18 elements. Besides,
+ numbers smaller than those required by p >= 18 should not come here
+ at all since the fast phase of exp returns 1.0 for anything less
+ than 2^-55. */
+ assert (p < 18);
+ m = 0;
+ a = ONE;
+ for (i = n - 1; i > 0; i--, n--)
+ if (m1np[i][p] + m2 > 0)
+ break;
+ }
/* Compute s=x*2**(-m). Put result in mps */
__dbl_mp(a,&mpt1,p);