This patch fixes a minor instance of undefined behavior in libdecnumber. It was
discovered in the Rust bindings for libdecnumber (`dec`) using a custom version
of MIRI that can execute foreign functions.
On the last iteration of the `while` loop in `decNumberGetBCD`, the pointer
`up` will be incremented beyond the end of the allocation `dn->lsu` before the
assignment `u=*up`. This value does not affect the termination of the loop and
is never read again, so this isn't really an issue, but this patch prevent an
access out-of-bounds by only incrementing `up` if it is safe to do so.
Bootstrapped on x86_64-pc-linux-gnu with no regressions.
libdecnumber/ChangeLog
* decNumber.c: In `decNumberGetBCD`, only read from `dn->lsu` while the
pointer `up` is still within bounds.
---
libdecnumber/decNumber.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libdecnumber/decNumber.c b/libdecnumber/decNumber.c
index 0b6eb160fe3..094bc51c14a 100644
--- a/libdecnumber/decNumber.c
+++ b/libdecnumber/decNumber.c
@@ -3463,7 +3463,8 @@ uByte * decNumberGetBCD(const decNumber *dn, uByte *bcd) {
cut--;
if (cut>0) continue; /* more in this unit */
up++;
- u=*up;
+ if (ub > bcd)
+ u=*up;
cut=DECDPUN;
}
#endif
--
2.39.3 (Apple Git-145)
