From: Mark Wooding <mdw@distorted.org.uk>
Date: Fri, 22 Jun 2018 11:45:22 +0000 (+0100)
Subject: math/mpx.c (mpx_lsr): Fix pointer out-of-bounds bug.
X-Git-Tag: 2.4.3~22
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/catacomb/commitdiff_plain/85e29c6edea1042eafbb8345ba0a7d805fa9b4bd

math/mpx.c (mpx_lsr): Fix pointer out-of-bounds bug.

If `n' is huge, and `av' is near the top of memory (e.g., in the top
quarter, if we're using 32-bit digits) then `av + n' wraps around, and
is consequently less than `avl', leading to all sorts of unfortunate
behaviour.

Noticed under `qemu-arm' on stretch, but generally applicable.
---

diff --git a/math/mpx.c b/math/mpx.c
index 18baf2f2..3983e7ca 100644
--- a/math/mpx.c
+++ b/math/mpx.c
@@ -545,15 +545,21 @@ MPX_SHIFTOP(lsr, {
   size_t nr = MPW_BITS - nb;
   mpw w;
 
-  av += nw;
-  w = av < avl ? *av++ : 0;
-  while (av < avl) {
-    mpw t;
-    if (dv >= dvl) goto done;
-    t = *av++;
-    *dv++ = MPW((w >> nb) | (t << nr));
-    w = t;
+  if (nw >= avl - av)
+    w = 0;
+  else {
+    av += nw;
+    w = *av++;
+
+    while (av < avl) {
+      mpw t;
+      if (dv >= dvl) goto done;
+      t = *av++;
+      *dv++ = MPW((w >> nb) | (t << nr));
+      w = t;
+    }
   }
+
   if (dv < dvl) {
     *dv++ = MPW(w >> nb);
     MPX_ZERO(dv, dvl);