This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATH] Fix buffer overrun in stdlib/strtod_l.c
- From: Andreas Jaeger <aj at suse dot com>
- To: Liubov Dmitrieva <liubov dot dmitrieva at gmail dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 18 Sep 2013 13:42:04 +0200
- Subject: Re: [PATH] Fix buffer overrun in stdlib/strtod_l.c
- Authentication-results: sourceware.org; auth=none
- References: <CAHjhQ93NBWNfAKswzgFYSim81sbhiT1cUjLK6YSVqend4dH-jg at mail dot gmail dot com>
On 09/18/2013 01:40 PM, Liubov Dmitrieva wrote:
> Here is obvious buffer overrun in num[-1] access was detected thanks
> to Intel MPX technology (new memory bound checker I am testing now).
>
> http://software.intel.com/en-us/blogs/2013/07/22/intel-memory-protection-extensions-intel-mpx-support-in-the-gnu-toolchain
>
> Wrong order in the logical expression.
>
>
> diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
> index 8f60653..90541cd 100644
> --- a/stdlib/strtod_l.c
> +++ b/stdlib/strtod_l.c
> @@ -1752,7 +1752,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
> got_limb;
> }
>
> - for (i = densize; num[i] == 0 && i >= 0; --i)
> + for (i = densize; i >= 0 && num[i] == 0; --i)
> ;
> return round_and_return (retval, exponent - 1, negative,
> quot, BITS_PER_MP_LIMB - 1 - used,
>
>
> ChangeLog:
>
> 2013-09-18 Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
>
> * stdlib/strtod_l.c: Fix buffer overrun.
>
> Ok to commit?
Yes, thanks,
Andreas
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126