[git commit] ash,hush: do not segfault on $((2**63 / -1))
Denys Vlasenko
vda.linux at googlemail.com
Tue Nov 18 13:32:58 UTC 2014
commit: http://git.busybox.net/busybox/commit/?id=8a475def9e3e21f780ebcf07dd607b26ceb00ea8
branch: http://git.busybox.net/busybox/commit/?id=refs/heads/master
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
shell/math.c | 27 +++++++++++++++++++++++----
1 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/shell/math.c b/shell/math.c
index 3da1511..e7565eb 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -415,10 +415,29 @@ arith_apply(arith_state_t *math_state, operator op, var_or_num_t *numstack, var_
}
else if (right_side_val == 0)
return "divide by zero";
- else if (op == TOK_DIV || op == TOK_DIV_ASSIGN)
- rez /= right_side_val;
- else if (op == TOK_REM || op == TOK_REM_ASSIGN)
- rez %= right_side_val;
+ else if (op == TOK_DIV || op == TOK_DIV_ASSIGN
+ || op == TOK_REM || op == TOK_REM_ASSIGN) {
+ /*
+ * bash 4.2.45 x86 64bit: SEGV on 'echo $((2**63 / -1))'
+ *
+ * MAX_NEGATIVE_INT / -1 = MAX_POSITIVE_INT+1
+ * and thus is not representable.
+ * Some CPUs segfault trying such op.
+ * Others overfolw MAX_POSITIVE_INT+1 to
+ * MAX_NEGATIVE_INT (0x7fff+1 = 0x8000).
+ * Make sure to at least not SEGV here:
+ */
+ if (right_side_val == -1
+ && rez << 1 == 0 /* MAX_NEGATIVE_INT or 0 */
+ ) {
+ right_side_val = 1;
+ }
+ if (op == TOK_DIV || op == TOK_DIV_ASSIGN)
+ rez /= right_side_val;
+ else {
+ rez %= right_side_val;
+ }
+ }
}
if (is_assign_op(op)) {
More information about the busybox-cvs
mailing list