This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH v3] Fix potential access beyond array bounds in m1np
On Fri, Dec 28, 2012 at 03:19:05PM +0100, Andreas Schwab wrote:
> m remains uninitialized if p >= 18. The assignment should be moved out
> of the condition anyway.
>
Thanks, here's v3:
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index c5a0283..6d07318 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -71,7 +71,14 @@ __mpexp(mp_no *x, mp_no *y, int p) {
for (i=2; i<=p; i++) { if (X[i]!=ZERO) break; }
if (i==p+1) { m2--; a *= TWO; }
}
- if ((m=m1+m2) <= 0) {
+
+ m = m1 + m2;
+
+ /* m1np is used to determine if we could reduce the number of iterations of
+ the polynomial expansion. We only have data up to precision of 18 and
+ anything equal to or greater than that will result in an access beyond
+ array bounds. */
+ if (__glibc_unlikely (p < 18 && m <= 0)) {
m=0; a=ONE;
for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }
}