Fix signed integer overflow in random

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

* Fix signed integer overflow in random_r (bug 17343)
@ 2018-03-16 17:33 Joseph Myers
  2018-03-17  0:26 ` Paul Eggert
  0 siblings, 1 reply; 4+ messages in thread
From: Joseph Myers @ 2018-03-16 17:33 UTC (permalink / raw)
  To: libc-alpha

Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t.  This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.

Note that the bug report refers to "Most code" in that file.  The
places changed in this patch are the only ones I found where I think
such overflow can occur.

Tested for x86_64 and x86.

2018-03-16  Joseph Myers  <joseph@codesourcery.com>

	[BZ #17343]
	* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
	possibly overflowing computations.

diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index 4d2f0d4..996f624 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -362,7 +362,7 @@ __random_r (struct random_data *buf, int32_t *result)
   if (buf->rand_type == TYPE_0)
     {
       int32_t val = state[0];
-      val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
+      val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
       state[0] = val;
       *result = val;
     }
@@ -371,9 +371,9 @@ __random_r (struct random_data *buf, int32_t *result)
       int32_t *fptr = buf->fptr;
       int32_t *rptr = buf->rptr;
       int32_t *end_ptr = buf->end_ptr;
-      int32_t val;
+      uint32_t val;
 
-      val = *fptr += *rptr;
+      val = *fptr += (uint32_t) *rptr;
       /* Chucking least random bit.  */
       *result = (val >> 1) & 0x7fffffff;
       ++fptr;

-- 
Joseph S. Myers
joseph@codesourcery.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fix signed integer overflow in random_r (bug 17343)
  2018-03-16 17:33 Fix signed integer overflow in random_r (bug 17343) Joseph Myers
@ 2018-03-17  0:26 ` Paul Eggert
  2018-03-20 17:54   ` Joseph Myers
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Eggert @ 2018-03-17  0:26 UTC (permalink / raw)
  To: Joseph Myers, libc-alpha

Joseph Myers wrote:
>         int32_t val = state[0];
> -      val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
> +      val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;

The first assignment to VAL (in the unchanged line) is unnecessary; I suggest 
coalescing the two lines.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fix signed integer overflow in random_r (bug 17343)
  2018-03-17  0:26 ` Paul Eggert
@ 2018-03-20 17:54   ` Joseph Myers
  2018-03-20 17:58     ` Paul Eggert
  0 siblings, 1 reply; 4+ messages in thread
From: Joseph Myers @ 2018-03-20 17:54 UTC (permalink / raw)
  To: Paul Eggert; +Cc: libc-alpha

On Fri, 16 Mar 2018, Paul Eggert wrote:

> Joseph Myers wrote:
> >         int32_t val = state[0];
> > -      val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
> > +      val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
> 
> The first assignment to VAL (in the unchanged line) is unnecessary; I suggest
> coalescing the two lines.

Here's a version of the patch that includes that cleanup.


Fix signed integer overflow in random_r (bug 17343).

Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t.  This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.

Note that the bug report refers to "Most code" in that file.  The
places changed in this patch are the only ones I found where I think
such overflow can occur.

Tested for x86_64 and x86.

2018-03-20  Joseph Myers  <joseph@codesourcery.com>

	[BZ #17343]
	* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
	possibly overflowing computations.

diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index 4d2f0d4..7342cd8 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -361,8 +361,7 @@ __random_r (struct random_data *buf, int32_t *result)
 
   if (buf->rand_type == TYPE_0)
     {
-      int32_t val = state[0];
-      val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
+      int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
       state[0] = val;
       *result = val;
     }
@@ -371,9 +370,9 @@ __random_r (struct random_data *buf, int32_t *result)
       int32_t *fptr = buf->fptr;
       int32_t *rptr = buf->rptr;
       int32_t *end_ptr = buf->end_ptr;
-      int32_t val;
+      uint32_t val;
 
-      val = *fptr += *rptr;
+      val = *fptr += (uint32_t) *rptr;
       /* Chucking least random bit.  */
       *result = (val >> 1) & 0x7fffffff;
       ++fptr;

-- 
Joseph S. Myers
joseph@codesourcery.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fix signed integer overflow in random_r (bug 17343)
  2018-03-20 17:54   ` Joseph Myers
@ 2018-03-20 17:58     ` Paul Eggert
  0 siblings, 0 replies; 4+ messages in thread
From: Paul Eggert @ 2018-03-20 17:58 UTC (permalink / raw)
  To: Joseph Myers; +Cc: libc-alpha

On 03/20/2018 10:54 AM, Joseph Myers wrote:
>         *result = (val >> 1) & 0x7fffffff;

One other thing I just noticed: now that val is uint32_t, the above 
should be simplifed to "*result = val >> 1;". The patch looks good 
otherwise; thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-03-20 17:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-16 17:33 Fix signed integer overflow in random_r (bug 17343) Joseph Myers
2018-03-17  0:26 ` Paul Eggert
2018-03-20 17:54   ` Joseph Myers
2018-03-20 17:58     ` Paul Eggert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).