This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATH] Fix buffer overrun in stdlib/strtod_l.c
- From: Liubov Dmitrieva <liubov dot dmitrieva at gmail dot com>
- To: Andreas Jaeger <aj at suse dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 19 Sep 2013 16:53:48 +0400
- Subject: Re: [PATH] Fix buffer overrun in stdlib/strtod_l.c
- Authentication-results: sourceware.org; auth=none
- References: <CAHjhQ93NBWNfAKswzgFYSim81sbhiT1cUjLK6YSVqend4dH-jg at mail dot gmail dot com> <5239918C dot 3040001 at suse dot com>
Committed.
--
Liubov
On Wed, Sep 18, 2013 at 3:42 PM, Andreas Jaeger <aj@suse.com> wrote:
> On 09/18/2013 01:40 PM, Liubov Dmitrieva wrote:
>> Here is obvious buffer overrun in num[-1] access was detected thanks
>> to Intel MPX technology (new memory bound checker I am testing now).
>>
>> http://software.intel.com/en-us/blogs/2013/07/22/intel-memory-protection-extensions-intel-mpx-support-in-the-gnu-toolchain
>>
>> Wrong order in the logical expression.
>>
>>
>> diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
>> index 8f60653..90541cd 100644
>> --- a/stdlib/strtod_l.c
>> +++ b/stdlib/strtod_l.c
>> @@ -1752,7 +1752,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
>> got_limb;
>> }
>>
>> - for (i = densize; num[i] == 0 && i >= 0; --i)
>> + for (i = densize; i >= 0 && num[i] == 0; --i)
>> ;
>> return round_and_return (retval, exponent - 1, negative,
>> quot, BITS_PER_MP_LIMB - 1 - used,
>>
>>
>> ChangeLog:
>>
>> 2013-09-18 Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
>>
>> * stdlib/strtod_l.c: Fix buffer overrun.
>>
>> Ok to commit?
>
> Yes, thanks,
>
> Andreas
> --
> Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
> SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
> GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
> GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126