This patch fixes a minor instance of undefined behavior in libdecnumber. It was discovered in the Rust bindings for libdecnumber (`dec`) using a custom version of MIRI that can execute foreign functions.
On the last iteration of the `while` loop in `decNumberGetBCD`, the pointer `up` will be incremented beyond the end of the allocation `dn->lsu` before the assignment `u=*up`. This value does not affect the termination of the loop and is never read again, so this isn't really an issue, but this patch prevent an access out-of-bounds by only incrementing `up` if it is safe to do so. Bootstrapped on x86_64-pc-linux-gnu with no regressions. libdecnumber/ChangeLog * decNumber.c: In `decNumberGetBCD`, only read from `dn->lsu` while the pointer `up` is still within bounds. --- libdecnumber/decNumber.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libdecnumber/decNumber.c b/libdecnumber/decNumber.c index 0b6eb160fe3..094bc51c14a 100644 --- a/libdecnumber/decNumber.c +++ b/libdecnumber/decNumber.c @@ -3463,7 +3463,8 @@ uByte * decNumberGetBCD(const decNumber *dn, uByte *bcd) { cut--; if (cut>0) continue; /* more in this unit */ up++; - u=*up; + if (ub > bcd) + u=*up; cut=DECDPUN; } #endif -- 2.39.3 (Apple Git-145)