From a726d7960e8a4ac784131f591114a0ef14246d8b Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Wed, 1 Sep 2010 12:38:44 -0700
Subject: [PATCH] Fix array overflow in floating point parser

---
 ChangeLog         | 6 ++++++
 NEWS              | 2 +-
 stdlib/strtod_l.c | 4 +++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 61dc9f8..c4c4cad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-08-31  Andreas Schwab  <schwab@redhat.com>
+
+	[BZ #7066]
+	* stdlib/strtod_l.c (____STRTOF_INTERNAL): Fix array overflow when
+	shifting retval into place.
+
 2010-09-01  Ulrich Drepper  <drepper@redhat.com>
 
 	* nis/rpcsvc/nis.h: Update copyright notice.
diff --git a/NEWS b/NEWS
index 6c336c2..432813b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.13
 
 * The following bugs are resolved with this release:
 
-  10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
+  7066, 10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
 
 * New Linux interfaces: prlimit, prlimit64, fanotify_init, fanotify_mark
 
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index cde1280..537d1fb 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -1491,7 +1491,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
 			  register int i;
 			  (void) __mpn_lshift (&retval[used
 						       / BITS_PER_MP_LIMB],
-					       retval, RETURN_LIMB_SIZE,
+					       retval,
+					       (RETURN_LIMB_SIZE
+						- used / BITS_PER_MP_LIMB),
 					       used % BITS_PER_MP_LIMB);
 			  for (i = used / BITS_PER_MP_LIMB - 1; i >= 0; --i)
 			    retval[i] = 0;
-- 
2.7.4