about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S10
-rw-r--r--sysdeps/i386/i686/multiarch/memchr-sse2.S8
3 files changed, 22 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index a98aea23b1..d321a89a37 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-01-02  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+
+	[BZ #21014]
+	* sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S (MEMCHR): Avoid overflow
+	in pointer addition.
+	* sysdeps/i386/i686/multiarch/memchr-sse2.S (MEMCHR): Likewise.
+
 2017-01-02  Torvald Riegel  <triegel@redhat.com>
 
 	* sysdeps/sparc/nptl/bits/pthreadtypes.h (pthread_cond_t): Adapt to
diff --git a/sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S b/sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S
index c035329ece..dd316486e6 100644
--- a/sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S
+++ b/sysdeps/i386/i686/multiarch/memchr-sse2-bsf.S
@@ -149,9 +149,15 @@ L(crosscache):
 	.p2align 4
 L(unaligned_no_match):
 # ifndef USE_AS_RAWMEMCHR
-	sub	$16, %edx
+        /* Calculate the last acceptable address and check for possible
+           addition overflow by using satured math:
+           edx = ecx + edx
+           edx |= -(edx < ecx)  */
 	add	%ecx, %edx
-	jle	L(return_null)
+	sbb	%eax, %eax
+	or	%eax, %edx
+	sub	$16, %edx
+	jbe	L(return_null)
 	add	$16, %edi
 # else
 	add	$16, %edx
diff --git a/sysdeps/i386/i686/multiarch/memchr-sse2.S b/sysdeps/i386/i686/multiarch/memchr-sse2.S
index f1a11b5c67..910679cfc0 100644
--- a/sysdeps/i386/i686/multiarch/memchr-sse2.S
+++ b/sysdeps/i386/i686/multiarch/memchr-sse2.S
@@ -118,8 +118,14 @@ L(crosscache):
 # ifndef USE_AS_RAWMEMCHR
 	jnz	L(match_case2_prolog1)
 	lea	-16(%edx), %edx
+        /* Calculate the last acceptable address and check for possible
+           addition overflow by using satured math:
+           edx = ecx + edx
+           edx |= -(edx < ecx)  */
 	add	%ecx, %edx
-	jle	L(return_null)
+	sbb	%eax, %eax
+	or	%eax, %edx
+	jbe	L(return_null)
 	lea	16(%edi), %edi
 # else
 	jnz	L(match_case1_prolog1)