From ce8d4082054519f2eaac39958edde502860a7fc6 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Mon, 16 Apr 2018 16:53:28 -1000 Subject: [PATCH] fpu: Bound increment for scalbn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without bounding the increment, we can overflow exp either here in scalbn_decomposed or when adding the bias in round_canonical. This can result in e.g. underflowing to 0 instead of overflowing to infinity. The old softfloat code did bound the increment. Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Reviewed-by: Alex Bennée Tested-by: Alex Bennée Signed-off-by: Peter Maydell --- fpu/softfloat.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fpu/softfloat.c b/fpu/softfloat.c index d90d79d777..70e0c40a1c 100644 --- a/fpu/softfloat.c +++ b/fpu/softfloat.c @@ -1878,6 +1878,12 @@ static FloatParts scalbn_decomposed(FloatParts a, int n, float_status *s) return return_nan(a, s); } if (a.cls == float_class_normal) { + /* The largest float type (even though not supported by FloatParts) + * is float128, which has a 15 bit exponent. Bounding N to 16 bits + * still allows rounding to infinity, without allowing overflow + * within the int32_t that backs FloatParts.exp. + */ + n = MIN(MAX(n, -0x10000), 0x10000); a.exp += n; } return a;