20300662 problem in LIBRARY/LIBMPFR s11-update
authorStefan Teleman <stefan.teleman@oracle.com>
Wed, 28 Jan 2015 11:07:54 -0800
branchs11-update
changeset 3698 9c01a3410e89
parent 3697 b681756a810c
child 3704 69ab8eca01c5
20300662 problem in LIBRARY/LIBMPFR
components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/mpfr/patches/002-CVE-2014-9474-strtofr.c.patch	Wed Jan 28 11:07:54 2015 -0800
@@ -0,0 +1,18 @@
+# Original patch for libmpfr 3.1.2 is here:
+# http://www.mpfr.org/mpfr-3.1.2/patch11
+# Backported to libmpfr 2.4.2.
+--- strtofr.c	2009-11-29 18:43:08.000000000 -0800
++++ strtofr.c	2015-01-23 11:30:29.242406530 -0800
[email protected]@ -464,8 +464,10 @@
+       /* prec bits corresponds to ysize limbs */
+       ysize_bits = ysize * BITS_PER_MP_LIMB;
+       /* and to ysize_bits >= prec > MPFR_PREC (x) bits */
+-      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 1) * sizeof (mp_limb_t));
+-      y += ysize; /* y has (ysize+1) allocated limbs */
++      /* we need to allocate one more limb to work around
++       * https://gmplib.org/list-archives/gmp-bugs/2013-December/003267.html */
++      y = (mp_limb_t*) MPFR_TMP_ALLOC ((2 * ysize + 2) * sizeof (mp_limb_t));
++      y += ysize; /* y has (ysize+2) allocated limbs */
+ 
+       /* pstr_size is the number of characters we read in pstr->mant
+          to have at least ysize full limbs.