Fix size parameter comparisions.

[BZ #13592] There are several signed compares of the size argument, whereas it really is unsigned. Depending on situations e.g. a "memset(ptr, 0, -1)" segfault (but for the wrong reasons, because jumping into nirvana) or succeeds even. In normal use this is harmless, as a size with signbit set indicates more than half the address space which on x86_64 is impossible to allocate, but as the size is used to index some jump tables this potentially could have other unwanted side effects.
2012-04-05 10:48:14 +02:00 · 2012-04-05 10:48:14 +02:00 · e80d6f94e1
parent 349fa79f55
commit e80d6f94e1
3 changed files with 16 additions and 11 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
 2012-04-05  Michael Matz  <matz@suse.de>
 	[BZ #13592]
 	* sysdeps/x86_64/memset.S: Fix size paramater comparisions.
 2012-04-05  Andreas Jaeger  <aj@suse.de>
 	[BZ #13908]
--- a/10
+++ b/10
@ -15,11 +15,11 @@ Version 2.16
  10110, 10135, 10140, 10210, 10346, 10545, 10716, 11174, 11322, 11365,
  11451, 11494, 12047, 12340, 13058, 13525, 13526, 13527, 13528, 13529,
  13530, 13531, 13532, 13533, 13547, 13551, 13552, 13553, 13555, 13559,
-  13566, 13583, 13618, 13637, 13656, 13658, 13673, 13691, 13695, 13704,
+  13566, 13583, 13592, 13618, 13637, 13656, 13658, 13673, 13691, 13695,
-  13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824, 13840,
+  13704, 13706, 13726, 13738, 13760, 13761, 13786, 13792, 13806, 13824,
-  13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883, 13892,
+  13840, 13841, 13844, 13846, 13851, 13852, 13854, 13871, 13879, 13883,
-  13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918, 13919,
+  13892, 13908, 13910, 13911, 13912, 13913, 13915, 13916, 13917, 13918,
-  13920, 13921, 13926, 13928, 13938
+  13919, 13920, 13921, 13926, 13928, 13938
 * ISO C11 support:
--- a/sysdeps/x86_64/memset.S
+++ b/sysdeps/x86_64/memset.S
@ -1,6 +1,6 @@
 /* memset/bzero -- set memory area to CH/0
   Optimized version for x86-64.
-   Copyright (C) 2002-2005, 2007, 2008, 2011 Free Software Foundation, Inc.
+   Copyright (C) 2002-2012 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   The GNU C Library is free software; you can redistribute it and/or
@ -52,7 +52,7 @@ L(ck2):
 	imul   %r9,%rdx
 L(now_dw_aligned):
 	cmp    $0x90,%r8
-	jg     L(ck_mem_ops_method)
+	ja     L(ck_mem_ops_method)
 L(now_dw_aligned_small):
 	add    %r8,%rdi
 #ifndef PIC
@ -604,7 +604,7 @@ L(aligned_now):
 	 punpcklqdq %xmm0,%xmm0
 	 cmp    $0xb0,%r8 # 176
-	 jge    L(byte32sse2_pre)
+	 jae    L(byte32sse2_pre)
 	 add    %r8,%rdi
 # ifndef PIC
@ -864,7 +864,7 @@ L(byte32sse2_pre):
 	mov    __x86_64_shared_cache_size(%rip),%r9d  # The largest cache size
 	cmp    %r9,%r8
-	jg     L(sse2_nt_move_pre)
+	ja     L(sse2_nt_move_pre)
 	#jmp    L(byte32sse2)
 	.balign     16
 L(byte32sse2):
@ -880,7 +880,7 @@ L(byte32sse2):
 	movdqa %xmm0,0x70(%rdi)
 	lea    0x80(%rdi),%rdi
-	jge    L(byte32sse2)
+	jae    L(byte32sse2)
 	add    %r8,%rdi
 # ifndef PIC
 	lea    L(SSExDx)(%rip),%r11
@ -914,7 +914,7 @@ L(sse2_nt_move):
 	movntdq %xmm0,0x70(%rdi)
 	lea    0x80(%rdi),%rdi
-	jge    L(sse2_nt_move)
+	jae    L(sse2_nt_move)
 	sfence
 	add    %r8,%rdi
 # ifndef PIC