* Fix signed integer overflow in random_r (bug 17343)
@ 2018-03-16 17:33 Joseph Myers
2018-03-17 0:26 ` Paul Eggert
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Myers @ 2018-03-16 17:33 UTC (permalink / raw)
To: libc-alpha
Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t. This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.
Note that the bug report refers to "Most code" in that file. The
places changed in this patch are the only ones I found where I think
such overflow can occur.
Tested for x86_64 and x86.
2018-03-16 Joseph Myers <joseph@codesourcery.com>
[BZ #17343]
* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
possibly overflowing computations.
diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index 4d2f0d4..996f624 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -362,7 +362,7 @@ __random_r (struct random_data *buf, int32_t *result)
if (buf->rand_type == TYPE_0)
{
int32_t val = state[0];
- val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
+ val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
state[0] = val;
*result = val;
}
@@ -371,9 +371,9 @@ __random_r (struct random_data *buf, int32_t *result)
int32_t *fptr = buf->fptr;
int32_t *rptr = buf->rptr;
int32_t *end_ptr = buf->end_ptr;
- int32_t val;
+ uint32_t val;
- val = *fptr += *rptr;
+ val = *fptr += (uint32_t) *rptr;
/* Chucking least random bit. */
*result = (val >> 1) & 0x7fffffff;
++fptr;
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Fix signed integer overflow in random_r (bug 17343)
2018-03-16 17:33 Fix signed integer overflow in random_r (bug 17343) Joseph Myers
@ 2018-03-17 0:26 ` Paul Eggert
2018-03-20 17:54 ` Joseph Myers
0 siblings, 1 reply; 4+ messages in thread
From: Paul Eggert @ 2018-03-17 0:26 UTC (permalink / raw)
To: Joseph Myers, libc-alpha
Joseph Myers wrote:
> int32_t val = state[0];
> - val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
> + val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
The first assignment to VAL (in the unchanged line) is unnecessary; I suggest
coalescing the two lines.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Fix signed integer overflow in random_r (bug 17343)
2018-03-17 0:26 ` Paul Eggert
@ 2018-03-20 17:54 ` Joseph Myers
2018-03-20 17:58 ` Paul Eggert
0 siblings, 1 reply; 4+ messages in thread
From: Joseph Myers @ 2018-03-20 17:54 UTC (permalink / raw)
To: Paul Eggert; +Cc: libc-alpha
On Fri, 16 Mar 2018, Paul Eggert wrote:
> Joseph Myers wrote:
> > int32_t val = state[0];
> > - val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
> > + val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
>
> The first assignment to VAL (in the unchanged line) is unnecessary; I suggest
> coalescing the two lines.
Here's a version of the patch that includes that cleanup.
Fix signed integer overflow in random_r (bug 17343).
Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t. This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.
Note that the bug report refers to "Most code" in that file. The
places changed in this patch are the only ones I found where I think
such overflow can occur.
Tested for x86_64 and x86.
2018-03-20 Joseph Myers <joseph@codesourcery.com>
[BZ #17343]
* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
possibly overflowing computations.
diff --git a/stdlib/random_r.c b/stdlib/random_r.c
index 4d2f0d4..7342cd8 100644
--- a/stdlib/random_r.c
+++ b/stdlib/random_r.c
@@ -361,8 +361,7 @@ __random_r (struct random_data *buf, int32_t *result)
if (buf->rand_type == TYPE_0)
{
- int32_t val = state[0];
- val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
+ int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
state[0] = val;
*result = val;
}
@@ -371,9 +370,9 @@ __random_r (struct random_data *buf, int32_t *result)
int32_t *fptr = buf->fptr;
int32_t *rptr = buf->rptr;
int32_t *end_ptr = buf->end_ptr;
- int32_t val;
+ uint32_t val;
- val = *fptr += *rptr;
+ val = *fptr += (uint32_t) *rptr;
/* Chucking least random bit. */
*result = (val >> 1) & 0x7fffffff;
++fptr;
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Fix signed integer overflow in random_r (bug 17343)
2018-03-20 17:54 ` Joseph Myers
@ 2018-03-20 17:58 ` Paul Eggert
0 siblings, 0 replies; 4+ messages in thread
From: Paul Eggert @ 2018-03-20 17:58 UTC (permalink / raw)
To: Joseph Myers; +Cc: libc-alpha
On 03/20/2018 10:54 AM, Joseph Myers wrote:
> *result = (val >> 1) & 0x7fffffff;
One other thing I just noticed: now that val is uint32_t, the above
should be simplifed to "*result = val >> 1;". The patch looks good
otherwise; thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-20 17:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-16 17:33 Fix signed integer overflow in random_r (bug 17343) Joseph Myers
2018-03-17 0:26 ` Paul Eggert
2018-03-20 17:54 ` Joseph Myers
2018-03-20 17:58 ` Paul Eggert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).