pp_add: fix UB in a right shift

Use UVINTSIZE to calculate the number of bits of a UVINT variable. The invalid number of bits in the right shift resulted in a poisoned variable. A later branch depending on that variable becomes UB when -branch-on-poison-as-ub is enabled in LLVM, which was turned on by default in LLVM 15 [1]. [1] llvm/llvm-project@03aceab Pointed out by: @jrtc27
CTSRD-CHERI · Jan 9, 2025 · 6737ad5 · 6737ad5
1 parent 35ceed0
commit 6737ad5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pp_hot.c b/pp_hot.c
@@ -1423,8 +1423,8 @@ PP(pp_add)
             il = SvIVX(svl);
             ir = SvIVX(svr);
           do_iv:
-            topl = ((UV)il) >> (UVSIZE * 8 - 2);
-            topr = ((UV)ir) >> (UVSIZE * 8 - 2);
+            topl = ((UV)il) >> (UVINTSIZE * 8 - 2);
+            topr = ((UV)ir) >> (UVINTSIZE * 8 - 2);
 
             /* if both are in a range that can't under/overflow, do a
              * simple integer add: if the top of both numbers