From 4d55b4e596d63705b86200d15d905b2549dd25df Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Wed, 2 Jan 2013 11:33:11 +0530
Subject: [PATCH] Add assert for potential access beyond array bounds in m1np

The mpexp code has an access into m1np:

  for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0) break; }

which could break for p >= 18 or i >= 7.  Fortunately this code is
never called due to the way the exp function is implemented since
values having exponent less than -55 return 1.0.  Make sure that if it
gets called in future, it is trapped.
---
 ChangeLog                      |  3 +++
 sysdeps/ieee754/dbl-64/mpexp.c | 21 +++++++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fe304e41a93..d0c10b5ff20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2013-01-02  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
+	* sysdeps/ieee754/dbl-64/mpexp.c (__mpexp): Add assert to
+	check access beyond bounds of m1np.
+
 	* sysdeps/ieee754/dbl-64/mpa.c [! NO__CONST]: New constant
 	MPTWO.
 	(__inv): Remove local variable MPTWO to use the global
diff --git a/sysdeps/ieee754/dbl-64/mpexp.c b/sysdeps/ieee754/dbl-64/mpexp.c
index 92399a3096b..3814fe2b295 100644
--- a/sysdeps/ieee754/dbl-64/mpexp.c
+++ b/sysdeps/ieee754/dbl-64/mpexp.c
@@ -31,6 +31,7 @@
 #include "endian.h"
 #include "mpa.h"
 #include "mpexp.h"
+#include <assert.h>
 
 #ifndef SECTION
 # define SECTION
@@ -71,10 +72,22 @@ __mpexp(mp_no *x, mp_no *y, int p) {
     for (i=2; i<=p; i++) { if (X[i]!=ZERO)  break; }
     if (i==p+1)  { m2--;  a *= TWO; }
   }
-  if ((m=m1+m2) <= 0) {
-    m=0;  a=ONE;
-    for (i=n-1; i>0; i--,n--) { if (m1np[i][p]+m2>0)  break; }
-  }
+
+  m = m1 + m2;
+  if (__glibc_unlikely (m <= 0))
+    {
+      /* The m1np array which is used to determine if we can reduce the
+	 polynomial expansion iterations, has only 18 elements.  Besides,
+	 numbers smaller than those required by p >= 18 should not come here
+	 at all since the fast phase of exp returns 1.0 for anything less
+	 than 2^-55.  */
+      assert (p < 18);
+      m = 0;
+      a = ONE;
+      for (i = n - 1; i > 0; i--, n--)
+	if (m1np[i][p] + m2 > 0)
+	  break;
+    }
 
   /* Compute s=x*2**(-m). Put result in mps */
   __dbl_mp(a,&mpt1,p);
-- 
2.47.2