From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-7448-listarch-libc-hacker=sources.redhat.com@sources.redhat.com>
Received: (qmail 31511 invoked by alias); 24 Mar 2004 12:00:03 -0000
Mailing-List: contact libc-hacker-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sources.redhat.com>
List-Help: <mailto:libc-hacker-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: libc-hacker-owner@sources.redhat.com
Received: (qmail 31488 invoked from network); 24 Mar 2004 12:00:02 -0000
Received: from unknown (HELO sunsite.ms.mff.cuni.cz) (195.113.15.26)
  by sources.redhat.com with SMTP; 24 Mar 2004 12:00:02 -0000
Received: from sunsite.ms.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id i2O9oHHS029565;
	Wed, 24 Mar 2004 10:50:17 +0100
Received: (from jakub@localhost)
	by sunsite.ms.mff.cuni.cz (8.12.8/8.12.8/Submit) id i2O9oHkn029563;
	Wed, 24 Mar 2004 10:50:17 +0100
Date: Wed, 24 Mar 2004 15:31:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Fix __printf_fp
Message-ID: <20040324095017.GJ15946@sunsite.ms.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
X-SW-Source: 2004-03/txt/msg00128.txt.bz2

Hi!

For IEEE quad long double with BITS_PER_MP_LIMB 32, mantissa takes exactly
4 limbs.  Until now any mantissa took at most 2 limbs (either IEEE extended
long double on 32-bit arch or IEEE quad on 64-bit arch) and bignum_size
reserved at least twice as many limbs for extra operations (e.g. it
does frac[fracsize++] = cy; in certain cases etc.).
Without this printf with certain numbers results in buffer overflows.

2004-03-24  Jakub Jelinek  <jakub@redhat.com>

	* stdio-common/printf_fp.c (__printf_fp): For IEEE quad long double
	on 32-bit architectures reserve 8 limbs instead of 4.

--- libc/stdio-common/printf_fp.c.jj	2004-03-23 12:28:47.000000000 -0500
+++ libc/stdio-common/printf_fp.c	2004-03-24 11:01:38.000000000 -0500
@@ -431,7 +431,9 @@ __printf_fp (FILE *fp,
      would be really big it could lead to memory problems.  */
   {
     mp_size_t bignum_size = ((ABS (exponent) + BITS_PER_MP_LIMB - 1)
-			     / BITS_PER_MP_LIMB + 4) * sizeof (mp_limb_t);
+			     / BITS_PER_MP_LIMB
+			     + (LDBL_MANT_DIG / BITS_PER_MP_LIMB > 2 ? 8 : 4))
+			    * sizeof (mp_limb_t);
     frac = (mp_limb_t *) alloca (bignum_size);
     tmp = (mp_limb_t *) alloca (bignum_size);
     scale = (mp_limb_t *) alloca (bignum_size);

	Jakub