From 6165f644c98238036fd7353f2b1de6f07376c30a Mon Sep 17 00:00:00 2001 From: Ulf Hermann Date: Tue, 16 Jan 2018 15:44:34 +0100 Subject: Avoid undefined behavior in argp-parse.c The shifting-instead-of-masking trick outlined there is very clever, but only works incidentally. Explicitly preserve the sign, and still shift, but shift unsigned values for which left-shifting bits out is defined. make distcheck complains about the previous code with sufficiently recent compilers with UB sanitizers. Change-Id: I6f2942f307a2c154ea7d414a85c60e4f088fc918 Reviewed-by: Christian Kandeler --- libgnu/argp-parse.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libgnu/argp-parse.c b/libgnu/argp-parse.c index 3f723bc8..dc3106e7 100644 --- a/libgnu/argp-parse.c +++ b/libgnu/argp-parse.c @@ -740,12 +740,15 @@ parser_parse_opt (struct parser *parser, int opt, char *val) } } else - /* A long option. We use shifts instead of masking for extracting - the user value in order to preserve the sign. */ - err = - group_parse (&parser->groups[group_key - 1], &parser->state, - (opt << GROUP_BITS) >> GROUP_BITS, - parser->opt_data.optarg); + { + uint maskable = (uint)(opt < 0 ? -opt : opt); + maskable = (maskable << GROUP_BITS) >> GROUP_BITS; + int masked = opt < 0 ? -(int)maskable : (int)maskable; + + err = + group_parse (&parser->groups[group_key - 1], &parser->state, + masked, parser->opt_data.optarg); + } if (err == EBADKEY) /* At least currently, an option not recognized is an error in the -- cgit v1.2.3