# HG changeset patch
# User Stefan Teleman <stefan.teleman@oracle.com>
# Date 1422472074 28800
# Node ID 9c01a3410e89bcbc93b3f476e1aa20c3e79cc30e
# Parent  b681756a810c68a290cdbb0ccdd5b469a9f28e88
20300662 problem in LIBRARY/LIBMPFR

diff -r b681756a810c -r 9c01a3410e89 components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch	Wed Jan 28 11:07:54 2015 -0800
@@ -0,0 +1,18 @@
+# Original patch for libmpfr 3.1.2 is here:
+# http://www.mpfr.org/mpfr-3.1.2/patch11
+# Backported to libmpfr 2.4.2.
+--- strtofr.c	2009-11-29 18:43:08.000000000 -0800
++++ strtofr.c	2015-01-23 11:30:29.242406530 -0800
+@@ -464,8 +464,10 @@
+       /* prec bits corresponds to ysize limbs */
+       ysize_bits = ysize * BITS_PER_MP_LIMB;
+       /* and to ysize_bits >= prec > MPFR_PREC (x) bits */
+-      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 1) * sizeof (mp_limb_t));
+-      y += ysize; /* y has (ysize+1) allocated limbs */
++      /* we need to allocate one more limb to work around
++       * https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html */
++      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 2) * sizeof (mp_limb_t));
++      y += ysize; /* y has (ysize+2) allocated limbs */
+ 
+       /* pstr_size is the number of characters we read in pstr->mant
+          to have at least ysize full limbs.