From: Joseph Myers <joseph@codesourcery.com>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: <libc-alpha@sourceware.org>
Subject: Re: Fix signed integer overflow in random_r (bug 17343)
Date: Tue, 20 Mar 2018 17:54:00 -0000 [thread overview]
Message-ID: <alpine.DEB.2.20.1803201754080.4945@digraph.polyomino.org.uk> (raw)
In-Reply-To: <be4d13fb-ba70-681d-63ce-ba2bed6ead68@cs.ucla.edu>
On Fri, 16 Mar 2018, Paul Eggert wrote:
> Joseph Myers wrote:
> > int32_t val = state[0];
> > - val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
> > + val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
>
> The first assignment to VAL (in the unchanged line) is unnecessary; I suggest
> coalescing the two lines.
Here's a version of the patch that includes that cleanup.
Fix signed integer overflow in random_r (bug 17343).
Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t. This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.
Note that the bug report refers to "Most code" in that file. The
places changed in this patch are the only ones I found where I think
such overflow can occur.
Tested for x86_64 and x86.
2018-03-20 Joseph Myers <joseph@codesourcery.com>
[BZ #17343]
* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
possibly overflowing computations.
diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index 4d2f0d4..7342cd8 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -361,8 +361,7 @@ __random_r (struct random_data *buf, int32_t *result)
if (buf->rand_type == TYPE_0)
{
- int32_t val = state[0];
- val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
+ int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
state[0] = val;
*result = val;
}
@@ -371,9 +370,9 @@ __random_r (struct random_data *buf, int32_t *result)
int32_t *fptr = buf->fptr;
int32_t *rptr = buf->rptr;
int32_t *end_ptr = buf->end_ptr;
- int32_t val;
+ uint32_t val;
- val = *fptr += *rptr;
+ val = *fptr += (uint32_t) *rptr;
/* Chucking least random bit. */
*result = (val >> 1) & 0x7fffffff;
++fptr;
--
Joseph S. Myers
joseph@codesourcery.com
next prev parent reply other threads:[~2018-03-20 17:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 17:33 Joseph Myers
2018-03-17 0:26 ` Paul Eggert
2018-03-20 17:54 ` Joseph Myers [this message]
2018-03-20 17:58 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1803201754080.4945@digraph.polyomino.org.uk \
--to=joseph@codesourcery.com \
--cc=eggert@cs.ucla.edu \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).