From: Andreas Schwab <schwab@redhat.com>
Date: Wed, 1 Sep 2010 19:38:44 +0000 (-0700)
Subject: Fix array overflow in floating point parser
X-Git-Tag: glibc-2.12.2~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f844fe667e5b2dd79735ac5730ee75cd574c9674;p=thirdparty%2Fglibc.git

Fix array overflow in floating point parser
(cherry picked from commit a726d7960e8a4ac784131f591114a0ef14246d8b)
---

diff --git a/ChangeLog b/ChangeLog
index ad8a25f245a..846333aeefa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-08-31  Andreas Schwab  <schwab@redhat.com>
+
+	[BZ #7066]
+	* stdlib/strtod_l.c (____STRTOF_INTERNAL): Fix array overflow when
+	shifting retval into place.
+
 2010-09-14  Ulrich Drepper  <drepper@redhat.com>
 
 	* resolv/res_init.c (__res_vinit): Count the default server we added.
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index cde1280e552..537d1fbc611 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -1491,7 +1491,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
 			  register int i;
 			  (void) __mpn_lshift (&retval[used
 						       / BITS_PER_MP_LIMB],
-					       retval, RETURN_LIMB_SIZE,
+					       retval,
+					       (RETURN_LIMB_SIZE
+						- used / BITS_PER_MP_LIMB),
 					       used % BITS_PER_MP_LIMB);
 			  for (i = used / BITS_PER_MP_LIMB - 1; i >= 0; --i)
 			    retval[i] = 0;