toolchain/musl/patches/039-fix-integer-overflow-in-float-printf-needed-precision-computation.patch

   1 From 70d2687d85c314963cf280759b23fd4573ff0d82 Mon Sep 17 00:00:00 2001
   2 From: Rich Felker <dalias@aerifal.cx>
   3 Date: Wed, 19 Oct 2016 20:17:16 -0400
   4 Subject: fix integer overflow in float printf needed-precision computation
   5
   6 if the requested precision is close to INT_MAX, adding
   7 LDBL_MANT_DIG/3+8 overflows. in practice the resulting undefined
   8 behavior manifests as a large negative result, which is then used to
   9 compute the new end pointer (z) with a wildly out-of-bounds value
  10 (more overflow, more undefined behavior). the end result is at least
  11 incorrect output and character count (return value); worse things do
  12 not seem to happen, but detailed analysis has not been done.
  13
  14 this patch fixes the overflow by performing the intermediate
  15 computation as unsigned; after division by 9, the final result
  16 necessarily fits in int.
  17 ---
  18  src/stdio/vfprintf.c | 2 +-
  19  1 file changed, 1 insertion(+), 1 deletion(-)
  20
  21 diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
  22 index e439a07..cd17ad7 100644
  23 --- a/src/stdio/vfprintf.c
  24 +++ b/src/stdio/vfprintf.c
  25 @@ -312,7 +312,7 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
  26         }
  27         while (e2<0) {
  28                 uint32_t carry=0, *b;
  29 -               int sh=MIN(9,-e2), need=1+(p+LDBL_MANT_DIG/3+8)/9;
  30 +               int sh=MIN(9,-e2), need=1+(p+LDBL_MANT_DIG/3U+8)/9;
  31                 for (d=a; d<z; d++) {
  32                         uint32_t rm = *d & (1<<sh)-1;
  33                         *d = (*d>>sh) + carry;
  34 --
  35 cgit v0.11.2