fix another potential overflow in fixnum expt

This commit is a follow-up to e96d592735. The bug fixed this time is more subtle, because the overflowing computation is never used, but that doesn't matter in terms of avoiding undefined behavior. Thanks for Pascal Cuoq and John Regehr.
2014-01-29 16:23:31 -07:00 · 2014-01-29 16:23:31 -07:00 · ed007e0fa0
commit ed007e0fa0
parent f22a895060
1 changed files with 8 additions and 1 deletions
--- a/racket/src/racket/src/number.c
+++ b/racket/src/racket/src/number.c
@ -3241,8 +3241,15 @@ static Scheme_Object *fixnum_expt(intptr_t x, intptr_t y)
                || !(next_result / (uintptr_t)x == (uintptr_t)result)))
          return scheme_generic_integer_power(scheme_make_integer_value(orig_x),
                                              scheme_make_integer_value(orig_y));
-        else
+        else {
          result = (intptr_t)next_result;
+          if (y == 1) {
+            /* Don't allow another x * x, because it could overflow
+               (and if it overflows, then a compiler is technically
+               free to make it do anything at all): */
+            break;
+          }
+        }
      }
      y = y >> 1;
      x = x * x;