# HG changeset patch
# User Stefan Teleman <stefan.teleman@oracle.com>
# Date 1422281758 28800
# Node ID 35dbb100a986e90e23cf89588cb280d7ee2a0528
# Parent  4dc408325e7ee4b76932f522e0eb8e27074a8131
20300662 problem in LIBRARY/LIBMPFR

diff -r 4dc408325e7e -r 35dbb100a986 components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch	Mon Jan 26 06:15:58 2015 -0800
@@ -0,0 +1,18 @@
+# Original patch for libmpfr 3.1.2 is here:
+# http://www.mpfr.org/mpfr-3.1.2/patch11
+# Backported to libmpfr 2.4.2.
+--- strtofr.c	2009-11-29 18:43:08.000000000 -0800
++++ strtofr.c	2015-01-23 11:30:29.242406530 -0800
+@@ -464,8 +464,10 @@
+       /* prec bits corresponds to ysize limbs */
+       ysize_bits = ysize * BITS_PER_MP_LIMB;
+       /* and to ysize_bits >= prec > MPFR_PREC (x) bits */
+-      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 1) * sizeof (mp_limb_t));
+-      y += ysize; /* y has (ysize+1) allocated limbs */
++      /* we need to allocate one more limb to work around
++       * https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html */
++      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 2) * sizeof (mp_limb_t));
++      y += ysize; /* y has (ysize+2) allocated limbs */
+ 
+       /* pstr_size is the number of characters we read in pstr->mant
+          to have at least ysize full limbs.