[Gmp-commit] /home/hgfiles/gmp: (mpn_dcpi1_divappr_q): Avoid a buffer overrun.

[mercurial at gmplib.org]

details:   /home/hgfiles/gmp/rev/31471fab0deb
changeset: 13058:31471fab0deb
user:      Torbjorn Granlund <tege at gmplib.org>
date:      Sun Dec 13 21:05:54 2009 +0100
description:
(mpn_dcpi1_divappr_q): Avoid a buffer overrun.

diffstat:

 ChangeLog                     |  3 +++
 mpn/generic/dcpi1_divappr_q.c |  8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diffs (30 lines):

diff -r e06c4e48a9c6 -r 31471fab0deb ChangeLog
--- a/ChangeLog	Sun Dec 13 17:55:41 2009 +0100
+++ b/ChangeLog	Sun Dec 13 21:05:54 2009 +0100
@@ -1,5 +1,8 @@
 2009-12-13  Torbjorn Granlund  <tege at gmplib.org>
 
+	* mpn/generic/dcpi1_divappr_q.c (mpn_dcpi1_divappr_q): Avoid a buffer
+	overrun.
+
 	* mpn/generic/mul_fft.c (mpn_mul_fft_full): Handle carry-out from 2nd
 	mpn_mul_fft, add an ASSERT for the 1sd mpn_mul_fft.  Replace some
 	comments on cc's range with ASSERTs.
diff -r e06c4e48a9c6 -r 31471fab0deb mpn/generic/dcpi1_divappr_q.c
--- a/mpn/generic/dcpi1_divappr_q.c	Sun Dec 13 17:55:41 2009 +0100
+++ b/mpn/generic/dcpi1_divappr_q.c	Sun Dec 13 21:05:54 2009 +0100
@@ -162,9 +162,11 @@
 	qh = mpn_sbpi1_divappr_q (qp, np - dn, nn, dp - dn, dn, dinv->inv32);
       else
 	{
-	  /* Put quotient in tp, use qp as temporary, since qp lacks a limb.  */
-	  qh = mpn_dcpi1_divappr_q_n (tp, np - qn - 2, dp - (qn + 1), qn + 1, dinv, qp);
-	  MPN_COPY (qp, tp + 1, qn);
+	  /* It is tempting to use qp for recursive scratch and put quotient in
+	     tp, but the recursive scratch needs one limb too many.  */
+	  mp_ptr qp2 = TMP_SALLOC_LIMBS (qn + 1);
+	  qh = mpn_dcpi1_divappr_q_n (qp2, np - qn - 2, dp - (qn + 1), qn + 1, dinv, tp);
+	  MPN_COPY (qp, qp2 + 1, qn);
 	}
     }