asm/float.c: fix buffer underflow in float parsing

When we suffer an underflow that cross limb boundaries, it is possible to end up with a stack underflow. Put in an explicit check for this case (the mantissa will be zero in this case.) https://bugzilla.nasm.us/show_bug.cgi?id=3392445 Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com> diff --git a/asm/float.c b/asm/float.c index dcf69fea..2965d3db 100644 --- a/asm/float.c +++ b/asm/float.c @@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i) if (offs) for (j = MANT_LIMBS-1; j >= offs; j--) mant[j] = mant[j-offs]; + } else if (MANT_LIMBS-1-offs < 0) { + j = MANT_LIMBS-1; } else { n = mant[MANT_LIMBS-1-offs] >> sr; for (j = MANT_LIMBS-1; j > offs; j--) {
author: Adam Majer <amajer@suse.de> 2018-07-05 17:40:24 +0200
committer: H. Peter Anvin <hpa@zytor.com> 2018-07-06 03:08:15 -0700
commit: c7c28357c85fb0bf4105419195bc204aea0fef35 (patch)
tree: e450d12452ef9f130e8f3397616c7cc9ec6890b3
parent: 70d429676bd5db1a5d437ee6f796fd4f0e122434 (diff)
download: nasm-c7c28357c85fb0bf4105419195bc204aea0fef35.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/asm/float.c b/asm/float.c
index fd66ef38..87db8561 100644
--- a/asm/float.c
+++ b/asm/float.c
@@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i)
         if (offs)
             for (j = MANT_LIMBS-1; j >= offs; j--)
                 mant[j] = mant[j-offs];
+    } else if (MANT_LIMBS-1-offs < 0) {
+        j = MANT_LIMBS-1;
     } else {
         n = mant[MANT_LIMBS-1-offs] >> sr;
         for (j = MANT_LIMBS-1; j > offs; j--) {
author	Adam Majer <amajer@suse.de>	2018-07-05 17:40:24 +0200
committer	H. Peter Anvin <hpa@zytor.com>	2018-07-06 03:08:15 -0700
commit	c7c28357c85fb0bf4105419195bc204aea0fef35 (patch)
tree	e450d12452ef9f130e8f3397616c7cc9ec6890b3
parent	70d429676bd5db1a5d437ee6f796fd4f0e122434 (diff)
download	nasm-c7c28357c85fb0bf4105419195bc204aea0fef35.tar.gz