math/mpx.c (mpx_lsr): Fix pointer out-of-bounds bug.

[catacomb] / math / mpx.c

diff --git a/math/mpx.c b/math/mpx.c
index 18baf2f2097cf30bad7d75f536b794182ca46cd7..3983e7cad60e623b40902c0c68bf576cad8f6559 100644 (file)
--- a/math/mpx.c
+++ b/math/mpx.c
@@ -545,15 +545,21 @@ MPX_SHIFTOP(lsr, {
   size_t nr = MPW_BITS - nb;
   mpw w;
 
-  av += nw;
-  w = av < avl ? *av++ : 0;
-  while (av < avl) {
-    mpw t;
-    if (dv >= dvl) goto done;
-    t = *av++;
-    *dv++ = MPW((w >> nb) | (t << nr));
-    w = t;
+  if (nw >= avl - av)
+    w = 0;
+  else {
+    av += nw;
+    w = *av++;
+
+    while (av < avl) {
+      mpw t;
+      if (dv >= dvl) goto done;
+      t = *av++;
+      *dv++ = MPW((w >> nb) | (t << nr));
+      w = t;
+    }
   }
+
   if (dv < dvl) {
     *dv++ = MPW(w >> nb);
     MPX_ZERO(dv, dvl);