about summary refs log tree commit diff
path: root/sysdeps
diff options
context:
space:
mode:
authorMichael Matz <matz@suse.de>2012-04-05 10:48:14 +0200
committerAndreas Jaeger <aj@suse.de>2012-04-05 10:50:09 +0200
commite80d6f94e19d17b91e3cd3ada7193cc88f621feb (patch)
treef519a13feef74d70dfade10c595b72d3113add5f /sysdeps
parent349fa79f5527f78d60c78eb1fbb2dfb56846018c (diff)
downloadglibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.tar.gz
glibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.tar.xz
glibc-e80d6f94e19d17b91e3cd3ada7193cc88f621feb.zip
Fix size parameter comparisions.
[BZ #13592]
There are several signed compares of the size argument, whereas
it really is unsigned.  Depending on situations e.g. a "memset(ptr, 0,
-1)" segfault (but for the wrong reasons, because jumping into nirvana)
or succeeds even.

In normal use this is harmless, as a size with signbit set indicates
more than half the address space which on x86_64 is impossible to
allocate, but as the size is used to index some jump tables this
potentially could have other unwanted side effects.
Diffstat (limited to 'sysdeps')
-rw-r--r--sysdeps/x86_64/memset.S12
1 files changed, 6 insertions, 6 deletions
diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S
index 7be907192c..9511745a41 100644
--- a/sysdeps/x86_64/memset.S
+++ b/sysdeps/x86_64/memset.S
@@ -1,6 +1,6 @@
 /* memset/bzero -- set memory area to CH/0
    Optimized version for x86-64.
-   Copyright (C) 2002-2005, 2007, 2008, 2011 Free Software Foundation, Inc.
+   Copyright (C) 2002-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -52,7 +52,7 @@ L(ck2):
 	imul   %r9,%rdx
 L(now_dw_aligned):
 	cmp    $0x90,%r8
-	jg     L(ck_mem_ops_method)
+	ja     L(ck_mem_ops_method)
 L(now_dw_aligned_small):
 	add    %r8,%rdi
 #ifndef PIC
@@ -604,7 +604,7 @@ L(aligned_now):
 	 punpcklqdq %xmm0,%xmm0
 
 	 cmp    $0xb0,%r8 # 176
-	 jge    L(byte32sse2_pre)
+	 jae    L(byte32sse2_pre)
 
 	 add    %r8,%rdi
 # ifndef PIC
@@ -864,7 +864,7 @@ L(byte32sse2_pre):
 
 	mov    __x86_64_shared_cache_size(%rip),%r9d  # The largest cache size
 	cmp    %r9,%r8
-	jg     L(sse2_nt_move_pre)
+	ja     L(sse2_nt_move_pre)
 	#jmp    L(byte32sse2)
 	.balign     16
 L(byte32sse2):
@@ -880,7 +880,7 @@ L(byte32sse2):
 	movdqa %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(byte32sse2)
+	jae    L(byte32sse2)
 	add    %r8,%rdi
 # ifndef PIC
 	lea    L(SSExDx)(%rip),%r11
@@ -914,7 +914,7 @@ L(sse2_nt_move):
 	movntdq %xmm0,0x70(%rdi)
 
 	lea    0x80(%rdi),%rdi
-	jge    L(sse2_nt_move)
+	jae    L(sse2_nt_move)
 	sfence
 	add    %r8,%rdi
 # ifndef PIC