Fix nan functions handling of payload strings (bug 16961, bug 16962).
The nan, nanf and nanl functions handle payload strings by doing e.g.:
if (tagp[0] != '\0')
{
char buf[6 + strlen (tagp)];
sprintf (buf, "NAN(%s)", tagp);
return strtod (buf, NULL);
}
This is an unbounded stack allocation based on the length of the
argument. Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence. This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.
Tested for x86_64, x86, mips64 and powerpc.
[BZ #16961]
[BZ #16962]
* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
string on the stack for strtod.
* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
a string on the stack for strtof.
* math/s_nanl.c (__nanl): Use __strtold_nan instead of
constructing a string on the stack for strtold.
* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
__strtold_nan to GLIBC_PRIVATE.
* math/test-nan-overflow.c: New file.
* math/test-nan-payload.c: Likewise.
* math/Makefile (tests): Add test-nan-overflow and
test-nan-payload.
2015-12-04 20:36:28 +00:00
|
|
|
/* Test nan functions stack overflow (bug 16962).
|
2020-01-01 00:14:33 +00:00
|
|
|
Copyright (C) 2015-2020 Free Software Foundation, Inc.
|
Fix nan functions handling of payload strings (bug 16961, bug 16962).
The nan, nanf and nanl functions handle payload strings by doing e.g.:
if (tagp[0] != '\0')
{
char buf[6 + strlen (tagp)];
sprintf (buf, "NAN(%s)", tagp);
return strtod (buf, NULL);
}
This is an unbounded stack allocation based on the length of the
argument. Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence. This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.
Tested for x86_64, x86, mips64 and powerpc.
[BZ #16961]
[BZ #16962]
* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
string on the stack for strtod.
* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
a string on the stack for strtof.
* math/s_nanl.c (__nanl): Use __strtold_nan instead of
constructing a string on the stack for strtold.
* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
__strtold_nan to GLIBC_PRIVATE.
* math/test-nan-overflow.c: New file.
* math/test-nan-payload.c: Likewise.
* math/Makefile (tests): Add test-nan-overflow and
test-nan-payload.
2015-12-04 20:36:28 +00:00
|
|
|
This file is part of the GNU C Library.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
|
|
License along with the GNU C Library; if not, see
|
Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:
sed -ri '
s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
$(find $(git ls-files) -prune -type f \
! -name '*.po' \
! -name 'ChangeLog*' \
! -path COPYING ! -path COPYING.LIB \
! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
! -path manual/texinfo.tex ! -path scripts/config.guess \
! -path scripts/config.sub ! -path scripts/install-sh \
! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
! -path INSTALL ! -path locale/programs/charmap-kw.h \
! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
! '(' -name configure \
-execdir test -f configure.ac -o -f configure.in ';' ')' \
! '(' -name preconfigure \
-execdir test -f preconfigure.ac ';' ')' \
-print)
and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:
chmod a+x sysdeps/unix/sysv/linux/riscv/configure
# Omit irrelevant whitespace and comment-only changes,
# perhaps from a slightly-different Autoconf version.
git checkout -f \
sysdeps/csky/configure \
sysdeps/hppa/configure \
sysdeps/riscv/configure \
sysdeps/unix/sysv/linux/csky/configure
# Omit changes that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
git checkout -f \
sysdeps/powerpc/powerpc64/ppc-mcount.S \
sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
# Omit change that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 05:40:42 +00:00
|
|
|
<https://www.gnu.org/licenses/>. */
|
Fix nan functions handling of payload strings (bug 16961, bug 16962).
The nan, nanf and nanl functions handle payload strings by doing e.g.:
if (tagp[0] != '\0')
{
char buf[6 + strlen (tagp)];
sprintf (buf, "NAN(%s)", tagp);
return strtod (buf, NULL);
}
This is an unbounded stack allocation based on the length of the
argument. Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence. This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.
Tested for x86_64, x86, mips64 and powerpc.
[BZ #16961]
[BZ #16962]
* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
string on the stack for strtod.
* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
a string on the stack for strtof.
* math/s_nanl.c (__nanl): Use __strtold_nan instead of
constructing a string on the stack for strtold.
* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
__strtold_nan to GLIBC_PRIVATE.
* math/test-nan-overflow.c: New file.
* math/test-nan-payload.c: Likewise.
* math/Makefile (tests): Add test-nan-overflow and
test-nan-payload.
2015-12-04 20:36:28 +00:00
|
|
|
|
|
|
|
#include <math.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <sys/resource.h>
|
2016-10-28 16:43:15 +00:00
|
|
|
#include <stdlib.h>
|
Fix nan functions handling of payload strings (bug 16961, bug 16962).
The nan, nanf and nanl functions handle payload strings by doing e.g.:
if (tagp[0] != '\0')
{
char buf[6 + strlen (tagp)];
sprintf (buf, "NAN(%s)", tagp);
return strtod (buf, NULL);
}
This is an unbounded stack allocation based on the length of the
argument. Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence. This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.
Tested for x86_64, x86, mips64 and powerpc.
[BZ #16961]
[BZ #16962]
* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
string on the stack for strtod.
* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
a string on the stack for strtof.
* math/s_nanl.c (__nanl): Use __strtold_nan instead of
constructing a string on the stack for strtold.
* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
__strtold_nan to GLIBC_PRIVATE.
* math/test-nan-overflow.c: New file.
* math/test-nan-payload.c: Likewise.
* math/Makefile (tests): Add test-nan-overflow and
test-nan-payload.
2015-12-04 20:36:28 +00:00
|
|
|
|
|
|
|
#define STACK_LIM 1048576
|
|
|
|
#define STRING_SIZE (2 * STACK_LIM)
|
|
|
|
|
|
|
|
static int
|
|
|
|
do_test (void)
|
|
|
|
{
|
|
|
|
int result = 0;
|
|
|
|
struct rlimit lim;
|
|
|
|
getrlimit (RLIMIT_STACK, &lim);
|
|
|
|
lim.rlim_cur = STACK_LIM;
|
|
|
|
setrlimit (RLIMIT_STACK, &lim);
|
|
|
|
char *nanstr = malloc (STRING_SIZE);
|
|
|
|
if (nanstr == NULL)
|
|
|
|
{
|
|
|
|
puts ("malloc failed, cannot test");
|
|
|
|
return 77;
|
|
|
|
}
|
|
|
|
memset (nanstr, '0', STRING_SIZE - 1);
|
|
|
|
nanstr[STRING_SIZE - 1] = 0;
|
|
|
|
#define NAN_TEST(TYPE, FUNC) \
|
|
|
|
do \
|
|
|
|
{ \
|
|
|
|
char *volatile p = nanstr; \
|
|
|
|
volatile TYPE v = FUNC (p); \
|
|
|
|
if (isnan (v)) \
|
|
|
|
puts ("PASS: " #FUNC); \
|
|
|
|
else \
|
|
|
|
{ \
|
|
|
|
puts ("FAIL: " #FUNC); \
|
|
|
|
result = 1; \
|
|
|
|
} \
|
|
|
|
} \
|
|
|
|
while (0)
|
|
|
|
NAN_TEST (float, nanf);
|
|
|
|
NAN_TEST (double, nan);
|
|
|
|
NAN_TEST (long double, nanl);
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define TEST_FUNCTION do_test ()
|
|
|
|
#include "../test-skeleton.c"
|