From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com
 [IPv6:2607:f8b0:4864:20::431])
 by sourceware.org (Postfix) with ESMTPS id A1D51395A00B
 for <binutils@sourceware.org>; Thu,  2 Jun 2022 09:05:31 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A1D51395A00B
Received: by mail-pf1-x431.google.com with SMTP id u2so4240771pfc.2
 for <binutils@sourceware.org>; Thu, 02 Jun 2022 02:05:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition;
 bh=mnJghwBK6p0Lc/7yaw72H5bC/mP7pHd2nNqteN4/EYg=;
 b=eYSK998jiHgSRCWG5O0ff5f+9IFMhMDsw20CeH2IHmkxRC8f7OAzX2CNDCNyb3lZh3
 V8Y5wzku740Je4VwzMjszd67Cy1eIKWdzrrwLlyFkwiNLMsjhRK02Os19BObb4/Gmmkb
 JRQ+uGXyWw5WUfkOJk3i1C/JvuSh/8sOcuDFUvi41uDdaR55GhUNXuzkXbAwV4k9O5jK
 FflrdFt5IgUxs/vlWDP/f8pgFzlW/gY3+/35mq/gF6TILSkD211Epwn4zBaIH3lObj5p
 InoYtheLp1rLlzkboFqaoDsssHGoxpylMFAbBtM+oRF/TcRfO191Owy4ffjSR+WsbfpQ
 Fd4w==
X-Gm-Message-State: AOAM533ACTcBeQnFz2UXCpLYMlCTdhRxvePTzBuWRPMQDUeEX414dTN2
 2DoKD7hKfrFPNCXj39eHZt2Rnc8FgcA=
X-Google-Smtp-Source: ABdhPJxOEZ4AbLG5+3cF48s+J39d+656D4gtRZv6qDFum3PRjF3VvQrPFe8INvSuvr9D7htDCyjBow==
X-Received: by 2002:a05:6a00:134e:b0:51b:d3d3:6a2b with SMTP id
 k14-20020a056a00134e00b0051bd3d36a2bmr162509pfu.29.1654160730057; 
 Thu, 02 Jun 2022 02:05:30 -0700 (PDT)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au.
 [58.96.106.158]) by smtp.gmail.com with ESMTPSA id
 u6-20020a170902714600b0015e8e7db067sm2972879plm.4.2022.06.02.02.05.28
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 02 Jun 2022 02:05:29 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 529CA1140582; Thu,  2 Jun 2022 18:35:26 +0930 (ACST)
Date: Thu, 2 Jun 2022 18:35:26 +0930
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: ubsan: signed integer overflow in atof_generic
Message-ID: <Yph9VndLqOke2Csg@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3037.2 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 09:05:33 -0000

Fix the signed overflows by using unsigned variables and detect
overflow at BUG! comment.

	* atof-generic.c (atof_generic): Avoid signed integer overflow.
	Return ERROR_EXPONENT_OVERFLOW if exponent overflows a long.

diff --git a/gas/atof-generic.c b/gas/atof-generic.c
index c3f818d9489..91583194868 100644
--- a/gas/atof-generic.c
+++ b/gas/atof-generic.c
@@ -72,11 +72,11 @@ atof_generic (/* return pointer to just AFTER number we read.  */
 	      const char *string_of_decimal_exponent_marks,
 	      FLONUM_TYPE *address_of_generic_floating_point_number)
 {
-  int return_value;		/* 0 means OK.  */
+  int return_value = 0;		/* 0 means OK.  */
   char *first_digit;
   unsigned int number_of_digits_before_decimal;
   unsigned int number_of_digits_after_decimal;
-  long decimal_exponent;
+  unsigned long decimal_exponent;
   unsigned int number_of_digits_available;
   char digits_sign_char;
 
@@ -204,7 +204,7 @@ atof_generic (/* return pointer to just AFTER number we read.  */
      deleting zeros after decimal.  In this case the decimal mark and
      the first zero digits after decimal mark are skipped.  */
   seen_significant_digit = 0;
-  signed long subtract_decimal_exponent = 0;
+  unsigned long subtract_decimal_exponent = 0;
 
   if (c && IS_DECIMAL_MARK (c))
     {
@@ -300,10 +300,11 @@ atof_generic (/* return pointer to just AFTER number we read.  */
 	{
 	  if (ISDIGIT (c))
 	    {
+	      if (decimal_exponent > LONG_MAX / 10
+		  || (decimal_exponent == LONG_MAX / 10
+		      && c > '0' + (char) (LONG_MAX - LONG_MAX / 10 * 10)))
+		return_value = ERROR_EXPONENT_OVERFLOW;
 	      decimal_exponent = decimal_exponent * 10 + c - '0';
-	      /*
-	       * BUG! If we overflow here, we lose!
-	       */
 	    }
 	  else
 	    {
@@ -327,7 +328,6 @@ atof_generic (/* return pointer to just AFTER number we read.  */
 
   number_of_digits_available =
     number_of_digits_before_decimal + number_of_digits_after_decimal;
-  return_value = 0;
   if (number_of_digits_available == 0)
     {
       address_of_generic_floating_point_number->exponent = 0;	/* Not strictly necessary */
@@ -505,7 +505,7 @@ atof_generic (/* return pointer to just AFTER number we read.  */
 	size_of_power_in_littlenums = precision;
 	/* Precision has a built-in fudge factor so we get a few guard bits.  */
 
-	decimal_exponent_is_negative = decimal_exponent < 0;
+	decimal_exponent_is_negative = (long) decimal_exponent < 0;
 	if (decimal_exponent_is_negative)
 	  {
 	    decimal_exponent = -decimal_exponent;

-- 
Alan Modra
Australia Development Lab, IBM