math/mpx.c (mpx_lsr): Fix pointer out-of-bounds bug.

If `n' is huge, and `av' is near the top of memory (e.g., in the top
quarter, if we're using 32-bit digits) then `av + n' wraps around, and
is consequently less than `avl', leading to all sorts of unfortunate
behaviour.

Noticed under `qemu-arm' on stretch, but generally applicable.

diff --git a/math/mpx.c b/math/mpx.c
index 18baf2f..3983e7c 100644 (file)
--- a/math/mpx.c
+++ b/math/mpx.c
@@ -545,15 +545,21 @@ MPX_SHIFTOP(lsr, {
   size_t nr = MPW_BITS - nb;
   mpw w;
 
-  av += nw;
-  w = av < avl ? *av++ : 0;
-  while (av < avl) {
-    mpw t;
-    if (dv >= dvl) goto done;
-    t = *av++;
-    *dv++ = MPW((w >> nb) | (t << nr));
-    w = t;
+  if (nw >= avl - av)
+    w = 0;
+  else {
+    av += nw;
+    w = *av++;
+
+    while (av < avl) {
+      mpw t;
+      if (dv >= dvl) goto done;
+      t = *av++;
+      *dv++ = MPW((w >> nb) | (t << nr));
+      w = t;
+    }
   }
+
   if (dv < dvl) {
     *dv++ = MPW(w >> nb);
     MPX_ZERO(dv, dvl);