Fix array overflow in floating point parser

diff --git a/ChangeLog b/ChangeLog
index 61dc9f8..c4c4cad 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-08-31  Andreas Schwab  <schwab@redhat.com>
+
+       [BZ #7066]
+       * stdlib/strtod_l.c (____STRTOF_INTERNAL): Fix array overflow when
+       shifting retval into place.
+
 2010-09-01  Ulrich Drepper  <drepper@redhat.com>
 
        * nis/rpcsvc/nis.h: Update copyright notice.

diff --git a/NEWS b/NEWS
index 6c336c2..432813b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.13
 
 * The following bugs are resolved with this release:
 
-  10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
+  7066, 10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
 
 * New Linux interfaces: prlimit, prlimit64, fanotify_init, fanotify_mark
 

diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index cde1280..537d1fb 100644 (file)
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -1491,7 +1491,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
                          register int i;
                          (void) __mpn_lshift (&retval[used
                                                       / BITS_PER_MP_LIMB],
-                                              retval, RETURN_LIMB_SIZE,
+                                              retval,
+                                              (RETURN_LIMB_SIZE
+                                               - used / BITS_PER_MP_LIMB),
                                               used % BITS_PER_MP_LIMB);
                          for (i = used / BITS_PER_MP_LIMB - 1; i >= 0; --i)
                            retval[i] = 0;