Fix array overflow in floating point parser

3 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 61dc9f8f95..c4c4cad3f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-08-31  Andreas Schwab  <schwab@redhat.com>
+
+	[BZ #7066]
+	* stdlib/strtod_l.c (____STRTOF_INTERNAL): Fix array overflow when
+	shifting retval into place.
+
 2010-09-01  Ulrich Drepper  <drepper@redhat.com>
 
 	* nis/rpcsvc/nis.h: Update copyright notice.
diff --git a/NEWS b/NEWS
index 6c336c2677..432813bb94 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.13
 
 * The following bugs are resolved with this release:
 
-  10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
+  7066, 10851, 11640, 11701, 11840, 11856, 11883, 11903, 11904
 
 * New Linux interfaces: prlimit, prlimit64, fanotify_init, fanotify_mark
 
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index cde1280e55..537d1fbc61 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -1491,7 +1491,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
 			  register int i;
 			  (void) __mpn_lshift (&retval[used
 						       / BITS_PER_MP_LIMB],
-					       retval, RETURN_LIMB_SIZE,
+					       retval,
+					       (RETURN_LIMB_SIZE
+						- used / BITS_PER_MP_LIMB),
 					       used % BITS_PER_MP_LIMB);
 			  for (i = used / BITS_PER_MP_LIMB - 1; i >= 0; --i)
 			    retval[i] = 0;