diff options
author | Adam Majer <amajer@suse.de> | 2018-07-05 17:40:24 +0200 |
---|---|---|
committer | H. Peter Anvin <hpa@zytor.com> | 2018-07-06 03:08:15 -0700 |
commit | c7c28357c85fb0bf4105419195bc204aea0fef35 (patch) | |
tree | e450d12452ef9f130e8f3397616c7cc9ec6890b3 | |
parent | 70d429676bd5db1a5d437ee6f796fd4f0e122434 (diff) | |
download | nasm-c7c28357c85fb0bf4105419195bc204aea0fef35.tar.gz |
asm/float.c: fix buffer underflow in float parsing
When we suffer an underflow that cross limb boundaries, it is possible
to end up with a stack underflow. Put in an explicit check for this
case (the mantissa will be zero in this case.)
https://bugzilla.nasm.us/show_bug.cgi?id=3392445
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
diff --git a/asm/float.c b/asm/float.c
index dcf69fea..2965d3db 100644
--- a/asm/float.c
+++ b/asm/float.c
@@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i)
if (offs)
for (j = MANT_LIMBS-1; j >= offs; j--)
mant[j] = mant[j-offs];
+ } else if (MANT_LIMBS-1-offs < 0) {
+ j = MANT_LIMBS-1;
} else {
n = mant[MANT_LIMBS-1-offs] >> sr;
for (j = MANT_LIMBS-1; j > offs; j--) {
-rw-r--r-- | asm/float.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/asm/float.c b/asm/float.c index fd66ef38..87db8561 100644 --- a/asm/float.c +++ b/asm/float.c @@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i) if (offs) for (j = MANT_LIMBS-1; j >= offs; j--) mant[j] = mant[j-offs]; + } else if (MANT_LIMBS-1-offs < 0) { + j = MANT_LIMBS-1; } else { n = mant[MANT_LIMBS-1-offs] >> sr; for (j = MANT_LIMBS-1; j > offs; j--) { |