This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATH] Fix buffer overrun in stdlib/strtod_l.c

From: Liubov Dmitrieva <liubov dot dmitrieva at gmail dot com>
To: GNU C Library <libc-alpha at sourceware dot org>
Date: Wed, 18 Sep 2013 15:40:41 +0400
Subject: [PATH] Fix buffer overrun in stdlib/strtod_l.c
Authentication-results: sourceware.org; auth=none

Here is obvious buffer overrun in num[-1] access was detected thanks
to Intel MPX technology (new memory bound checker I am testing now).

http://software.intel.com/en-us/blogs/2013/07/22/intel-memory-protection-extensions-intel-mpx-support-in-the-gnu-toolchain

Wrong order in the logical expression.


diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index 8f60653..90541cd 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -1752,7 +1752,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
              got_limb;
            }

-         for (i = densize; num[i] == 0 && i >= 0; --i)
+         for (i = densize; i >= 0 && num[i] == 0; --i)
            ;
          return round_and_return (retval, exponent - 1, negative,
                                   quot, BITS_PER_MP_LIMB - 1 - used,


ChangeLog:

2013-09-18  Liubov Dmitrieva  <liubov.dmitrieva@gmail.com>

     * stdlib/strtod_l.c: Fix buffer overrun.

Ok to commit?

--
Liubov
Intel Corporation

Follow-Ups:
- Re: [PATH] Fix buffer overrun in stdlib/strtod_l.c
  - From: Andreas Jaeger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]