From ed007e0fa016697889271fbad39870f25cd8b36a Mon Sep 17 00:00:00 2001
From: Matthew Flatt <mflatt@racket-lang.org>
Date: Wed, 29 Jan 2014 16:23:31 -0700
Subject: [PATCH] fix another potential overflow in fixnum `expt`

This commit is a follow-up to e96d592735. The bug fixed this time is
more subtle, because the overflowing computation is never used, but
that doesn't matter in terms of avoiding undefined behavior.

Thanks for Pascal Cuoq and John Regehr.
---
 racket/src/racket/src/number.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/racket/src/racket/src/number.c b/racket/src/racket/src/number.c
index 63e355dbfa..5d7a0e84ff 100644
--- a/racket/src/racket/src/number.c
+++ b/racket/src/racket/src/number.c
@@ -3241,8 +3241,15 @@ static Scheme_Object *fixnum_expt(intptr_t x, intptr_t y)
                 || !(next_result / (uintptr_t)x == (uintptr_t)result)))
           return scheme_generic_integer_power(scheme_make_integer_value(orig_x),
                                               scheme_make_integer_value(orig_y));
-        else
+        else {
           result = (intptr_t)next_result;
+          if (y == 1) {
+            /* Don't allow another x * x, because it could overflow
+               (and if it overflows, then a compiler is technically
+               free to make it do anything at all): */
+            break;
+          }
+        }
       }
       y = y >> 1;
       x = x * x;