From patchwork Thu Jan 12 21:37:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Metcalf <cmetcalf@mellanox.com>
X-Patchwork-Id: 18886
Received: (qmail 117209 invoked by alias); 12 Jan 2017 21:37:45 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 117191 invoked by uid 89); 12 Jan 2017 21:37:44 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-5.1 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD, SPF_HELO_PASS, SPF_PASS,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.2 spammy=tilepro,
	tilegx, walks
X-HELO: mellanox.co.il
From: Chris Metcalf <cmetcalf@mellanox.com>
To: libc-alpha@sourceware.org
Cc: Chris Metcalf <cmetcalf@mellanox.com>
Subject: [PATCH] tile: Check for pointer add overflow in memchr
Date: Thu, 12 Jan 2017 16:37:27 -0500
Message-Id: <1484257047-25513-1-git-send-email-cmetcalf@mellanox.com>

As was done in b224637928e9, check for large size causing an overflow
in the loop that walks over the array.
---
2017-01-12  Chris Metcalf  <cmetcalf@mellanox.com>

	* sysdeps/tile/tilegx/memchr.c (__memchr): Properly handle
	overflow for large sizes.
	* sysdeps/tile/tilepro/memchr.c (__memchr): Likewise.

 sysdeps/tile/tilegx/memchr.c  | 4 ++++
 sysdeps/tile/tilepro/memchr.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/sysdeps/tile/tilegx/memchr.c b/sysdeps/tile/tilegx/memchr.c
index 34df19d2319c..24a9e8aaa3fb 100644
--- a/sysdeps/tile/tilegx/memchr.c
+++ b/sysdeps/tile/tilegx/memchr.c
@@ -51,6 +51,10 @@ __memchr (const void *s, int c, size_t n)
   /* Compute the address of the last byte. */
   last_byte_ptr = (const char *) s + n - 1;
 
+  /* Handle possible addition overflow.  */
+  if (__glibc_unlikely ((unsigned long) last_byte_ptr < (unsigned long) s))
+    last_byte_ptr = (const char *) UINTPTR_MAX;
+
   /* Compute the address of the word containing the last byte. */
   last_word_ptr = (const uint64_t *) ((uintptr_t) last_byte_ptr & -8);
 
diff --git a/sysdeps/tile/tilepro/memchr.c b/sysdeps/tile/tilepro/memchr.c
index 1848a9cadb2d..5bc8ae3a2cbc 100644
--- a/sysdeps/tile/tilepro/memchr.c
+++ b/sysdeps/tile/tilepro/memchr.c
@@ -51,6 +51,10 @@ __memchr (const void *s, int c, size_t n)
   /* Compute the address of the last byte. */
   last_byte_ptr = (const char *) s + n - 1;
 
+  /* Handle possible addition overflow.  */
+  if (__glibc_unlikely ((unsigned long) last_byte_ptr < (unsigned long) s))
+    last_byte_ptr = (const char *) UINTPTR_MAX;
+
   /* Compute the address of the word containing the last byte. */
   last_word_ptr = (const uint32_t *) ((uintptr_t) last_byte_ptr & -4);