aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdhemerval Zanella <adhemerval.zanella@linaro.org>2017-03-14 14:16:13 -0300
committerAdhemerval Zanella <adhemerval.zanella@linaro.org>2017-03-29 09:54:14 -0300
commit3abeeec5f46ff036bd9df60bb096e20314ccd078 (patch)
tree19bd5fb7c5a9f965e69242169e08053985cdae3d
parent29d92a8edabed7a1e062fc301bb127d734ec0c45 (diff)
downloadglibc-3abeeec5f46ff036bd9df60bb096e20314ccd078.tar
glibc-3abeeec5f46ff036bd9df60bb096e20314ccd078.tar.gz
glibc-3abeeec5f46ff036bd9df60bb096e20314ccd078.tar.bz2
glibc-3abeeec5f46ff036bd9df60bb096e20314ccd078.zip
Fix i686 memchr overflow calculation (BZ#21182)
This patch fixes the regression added by 23d2770 for final address overflow calculation. The subtraction of the considered size (16) at line 120 is at wrong place, for sizes less than 16 subsequent overflow check will not take in consideration an invalid size (since the subtraction will be negative). Also, the lea instruction also does not raise the carry flag (CF) that is used in subsequent jbe to check for overflow. The fix is to follow x86_64 logic from 3daef2c where the overflow is first check and a sub instruction is issued. In case of resulting negative size, CF will be set by the sub instruction and a NULL result will be returned. The patch also add similar tests reported in bug report. Checked on i686-linux-gnu and x86_64-linux-gnu. * string/test-memchr.c (do_test): Add BZ#21182 checks for address near end of a page. * sysdeps/i386/i686/multiarch/memchr-sse2.S (__memchr): Fix overflow calculation.
-rw-r--r--ChangeLog8
-rw-r--r--string/test-memchr.c6
-rw-r--r--sysdeps/i386/i686/multiarch/memchr-sse2.S2
3 files changed, 15 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 24908d0e21..71e72722ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-03-29 Adhemerval Zanella <adhemerval.zanella@linaro.org>
+
+ [BZ# 21182]
+ * string/test-memchr.c (do_test): Add BZ#21182 checks for address
+ near end of a page.
+ * sysdeps/i386/i686/multiarch/memchr-sse2.S (__memchr): Fix
+ overflow calculation.
+
2017-03-28 Steve Ellcey <sellcey@caviumnetworks.com>
* benchtests/bench-memcpy-random.c (TEST_NAME): Change to memcpy.
diff --git a/string/test-memchr.c b/string/test-memchr.c
index 2403c9242b..669e092e7d 100644
--- a/string/test-memchr.c
+++ b/string/test-memchr.c
@@ -210,6 +210,12 @@ test_main (void)
do_test (0, i, i + 1, i + 1, 0);
}
+ /* BZ#21182 - wrong overflow calculation for i686 implementation
+ with address near end of the page. */
+ for (i = 2; i < 16; ++i)
+ /* page_size is in fact getpagesize() * 2. */
+ do_test (page_size / 2 - i, i, i, 1, 0x9B);
+
do_random_tests ();
return ret;
}
diff --git a/sysdeps/i386/i686/multiarch/memchr-sse2.S b/sysdeps/i386/i686/multiarch/memchr-sse2.S
index 910679cfc0..e41f324a77 100644
--- a/sysdeps/i386/i686/multiarch/memchr-sse2.S
+++ b/sysdeps/i386/i686/multiarch/memchr-sse2.S
@@ -117,7 +117,6 @@ L(crosscache):
# ifndef USE_AS_RAWMEMCHR
jnz L(match_case2_prolog1)
- lea -16(%edx), %edx
/* Calculate the last acceptable address and check for possible
addition overflow by using satured math:
edx = ecx + edx
@@ -125,6 +124,7 @@ L(crosscache):
add %ecx, %edx
sbb %eax, %eax
or %eax, %edx
+ sub $16, %edx
jbe L(return_null)
lea 16(%edi), %edi
# else