From 53c065086ba304d40b23f8539008757090ff6a58 Mon Sep 17 00:00:00 2001
From: Greg McGary <greg@mcgary.org>
Date: Fri, 25 Aug 2000 21:09:43 +0000
Subject: [PATCH] * sysdeps/i386/memchr.S: Check high bound against

chars actually scanned.
* sysdeps/i386/memcmp.S: Likewise.
* sysdeps/i386/stpncpy.S: Adjust high-bound check to
account for pointers that lie one beyond end-of-buffer.
---
 sysdeps/i386/memchr.S  | 3 ++-
 sysdeps/i386/memcmp.S  | 8 +++++---
 sysdeps/i386/stpncpy.S | 4 ++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/sysdeps/i386/memchr.S b/sysdeps/i386/memchr.S
index d01a31c855..cae0fd27d8 100644
--- a/sysdeps/i386/memchr.S
+++ b/sysdeps/i386/memchr.S
@@ -53,7 +53,7 @@ ENTRY (BP_SYM (__memchr))
 	movl STR(%esp), %eax	/* str: pointer to memory block.  */
 	movl CHR(%esp), %edx	/* c: byte we are looking for.  */
 	movl LEN(%esp), %esi	/* len: length of memory block.  */
-	CHECK_BOUNDS_BOTH_WIDE (%eax, STR(%esp), %esi)
+	CHECK_BOUNDS_LOW (%eax, STR(%esp))
 
 	/* If my must not test more than three characters test
 	   them one by one.  This is especially true for 0.  */
@@ -314,6 +314,7 @@ L(8):	testb %cl, %cl		/* test first byte in dword */
 	/* No further test needed we we know it is one of the four bytes.  */
 L(9):
 #if __BOUNDED_POINTERS__
+	CHECK_BOUNDS_HIGH (%eax, STR(%esp), jb)
 	/* If RTN pointer is phony, don't copy return value into it.  */
 	movl RTN(%esp), %ecx
 	testl %ecx, %ecx
diff --git a/sysdeps/i386/memcmp.S b/sysdeps/i386/memcmp.S
index 8d855b9d2a..d8b60d06c5 100644
--- a/sysdeps/i386/memcmp.S
+++ b/sysdeps/i386/memcmp.S
@@ -38,8 +38,8 @@ ENTRY (BP_SYM (memcmp))
 	movl BLK1(%esp), %esi
 	movl BLK2(%esp), %edi
 	movl LEN(%esp), %ecx
-	CHECK_BOUNDS_BOTH_WIDE (%esi, BLK1(%esp), %ecx)
-	CHECK_BOUNDS_BOTH_WIDE (%edi, BLK2(%esp), %ecx)
+	CHECK_BOUNDS_LOW (%esi, BLK1(%esp))
+	CHECK_BOUNDS_LOW (%edi, BLK2(%esp))
 
 	cld			/* Set direction of comparison.  */
 
@@ -62,7 +62,9 @@ ENTRY (BP_SYM (memcmp))
 	   Note that the following operation does not change 0xffffffff.  */
 	orb $1, %al		/* Change 0 to 1.  */
 
-L(1):	popl %esi		/* Restore registers.  */
+L(1):	CHECK_BOUNDS_HIGH (%esi, BLK1(%esp), jbe)
+	CHECK_BOUNDS_HIGH (%edi, BLK2(%esp), jbe)
+	popl %esi		/* Restore registers.  */
 	movl %edx, %edi
 
 	LEAVE
diff --git a/sysdeps/i386/stpncpy.S b/sysdeps/i386/stpncpy.S
index 8ca2c9dccc..a6d510e365 100644
--- a/sysdeps/i386/stpncpy.S
+++ b/sysdeps/i386/stpncpy.S
@@ -143,8 +143,8 @@ L(3):	decl %ecx		/* all bytes written? */
 L(9):
 #if __BOUNDED_POINTERS__
 	addl %eax, %esi		/* undo magic: %esi now points beyond end of SRC */
-	CHECK_BOUNDS_HIGH (%esi, SRC(%esp), jb)
-	CHECK_BOUNDS_HIGH (%eax, DEST(%esp), jb)
+	CHECK_BOUNDS_HIGH (%esi, SRC(%esp), jbe)
+	CHECK_BOUNDS_HIGH (%eax, DEST(%esp), jbe)
 	RETURN_BOUNDED_POINTER (DEST(%esp))
 #endif
 	popl %esi		/* restore saved register content */