1 files changed, 351 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch
new file mode 100644
index 0000000000..bafb5ea1bf
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch
@@ -0,0 +1,351 @@
+From 49a60a3411b86df1e555acfe7e7a80754c5c6c69 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Tue, 2 Feb 2016 13:46:37 +0100
+Subject: [PATCH] From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17
+ 00:00:00 2001 From: Joseph Myers <joseph@codesourcery.com> Date: Fri, 4 Dec
+ 2015 20:36:28 +0000 Subject: [PATCH] Fix nan functions handling of payload
+ strings (bug 16961, bug  16962).
+The nan, nanf and nanl functions handle payload strings by doing e.g.:
+  if (tagp[0] != '\0')
+    {
+      char buf[6 + strlen (tagp)];
+      sprintf (buf, "NAN(%s)", tagp);
+      return strtod (buf, NULL);
+    }
+This is an unbounded stack allocation based on the length of the
+argument.  Furthermore, if the argument starts with an n-char-sequence
+followed by ')', that n-char-sequence is wrongly treated as
+significant for determining the payload of the resulting NaN, when ISO
+C says the call should be equivalent to strtod ("NAN", NULL), without
+being affected by that initial n-char-sequence.  This patch fixes both
+those problems by using the __strtod_nan etc. functions recently
+factored out of strtod etc. for that purpose, with those functions
+being exported from libc at version GLIBC_PRIVATE.
+Tested for x86_64, x86, mips64 and powerpc.
+        [BZ #16961]
+        [BZ #16962]
+        * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
+        string on the stack for strtod.
+        * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
+        a string on the stack for strtof.
+        * math/s_nanl.c (__nanl): Use __strtold_nan instead of
+        constructing a string on the stack for strtold.
+        * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
+        __strtold_nan to GLIBC_PRIVATE.
+        * math/test-nan-overflow.c: New file.
+        * math/test-nan-payload.c: Likewise.
+        * math/Makefile (tests): Add test-nan-overflow and
+        test-nan-payload.
+Upstream-Status: Backport
+CVE: CVE-2014-9761 patch #2
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ math/Makefile            |   4 +-
+ math/s_nan.c             |   9 +---
+ math/s_nanf.c            |   9 +---
+ math/s_nanl.c            |   9 +---
+ math/test-nan-overflow.c |  66 +++++++++++++++++++++++++
+ math/test-nan-payload.c  | 122 +++++++++++++++++++++++++++++++++++++++++++++++
+ stdlib/Versions          |   1 +
+ 7 files changed, 195 insertions(+), 25 deletions(-)
+ create mode 100644 math/test-nan-overflow.c
+ create mode 100644 math/test-nan-payload.c
+diff --git a/math/Makefile b/math/Makefile
+index 05250c0..acb0007 100644
+--- a/math/Makefile
+++ b/math/Makefile
+@@ -92,7 +92,9 @@ tests = test-matherr test-fenv atest-exp atest-sincos atest-exp2 basic-test \
+        test-misc test-fpucw test-fpucw-ieee tst-definitions test-tgmath \
+        test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
+        test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
+-       test-fenv-tls test-fenv-preserve test-fenv-return $(tests-static)
+       test-fenv-tls test-fenv-preserve test-fenv-return \
+        test-nan-overflow test-nan-payload \
+        $(tests-static)
+ tests-static = test-fpucw-static test-fpucw-ieee-static
+ # We do the `long double' tests only if this data type is available and
+ # distinct from `double'.
+diff --git a/math/s_nan.c b/math/s_nan.c
+index c01085f..3dc9f77 100644
+--- a/math/s_nan.c
+++ b/math/s_nan.c
+@@ -28,14 +28,7 @@
+ double
+ __nan (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtod (buf, NULL);
+-    }
+-
+-  return NAN;
+  return __strtod_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nan, nan)
+ #ifdef NO_LONG_DOUBLE
+diff --git a/math/s_nanf.c b/math/s_nanf.c
+index a16fdbf..103fb8c 100644
+--- a/math/s_nanf.c
+++ b/math/s_nanf.c
+@@ -28,13 +28,6 @@
+ float
+ __nanf (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtof (buf, NULL);
+-    }
+-
+-  return NAN;
+  return __strtof_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nanf, nanf)
+diff --git a/math/s_nanl.c b/math/s_nanl.c
+index 3769f17..3ccd3bc 100644
+--- a/math/s_nanl.c
+++ b/math/s_nanl.c
+@@ -28,13 +28,6 @@
+ long double
+ __nanl (const char *tagp)
+ {
+-  if (tagp[0] != '\0')
+-    {
+-      char buf[6 + strlen (tagp)];
+-      sprintf (buf, "NAN(%s)", tagp);
+-      return strtold (buf, NULL);
+-    }
+-
+-  return NAN;
+  return __strtold_nan (tagp, NULL, 0);
+ }
+ weak_alias (__nanl, nanl)
+diff --git a/math/test-nan-overflow.c b/math/test-nan-overflow.c
+new file mode 100644
+index 0000000..f56aaf3
+--- /dev/null
+++ b/math/test-nan-overflow.c
+@@ -0,0 +1,66 @@
+/* Test nan functions stack overflow (bug 16962).
+   Copyright (C) 2015 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <math.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/resource.h>
+
+#define STACK_LIM 1048576
+#define STRING_SIZE (2 * STACK_LIM)
+
+static int
+do_test (void)
+{
+  int result = 0;
+  struct rlimit lim;
+  getrlimit (RLIMIT_STACK, &lim);
+  lim.rlim_cur = STACK_LIM;
+  setrlimit (RLIMIT_STACK, &lim);
+  char *nanstr = malloc (STRING_SIZE);
+  if (nanstr == NULL)
+    {
+      puts ("malloc failed, cannot test");
+      return 77;
+    }
+  memset (nanstr, '0', STRING_SIZE - 1);
+  nanstr[STRING_SIZE - 1] = 0;
+#define NAN_TEST(TYPE, FUNC)                   \
+  do                                           \
+    {                                          \
+      char *volatile p = nanstr;               \
+      volatile TYPE v = FUNC (p);              \
+      if (isnan (v))                           \
+       puts ("PASS: " #FUNC);                  \
+      else                                     \
+       {                                       \
+         puts ("FAIL: " #FUNC);                \
+         result = 1;                           \
+       }                                       \
+    }                                          \
+  while (0)
+  NAN_TEST (float, nanf);
+  NAN_TEST (double, nan);
+#ifndef NO_LONG_DOUBLE
+  NAN_TEST (long double, nanl);
+#endif
+  return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
+diff --git a/math/test-nan-payload.c b/math/test-nan-payload.c
+new file mode 100644
+index 0000000..358ff71
+--- /dev/null
+++ b/math/test-nan-payload.c
+@@ -0,0 +1,122 @@
+/* Test nan functions payload handling (bug 16961).
+   Copyright (C) 2015 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <float.h>
+#include <math.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Avoid built-in functions.  */
+#define WRAP_NAN(FUNC, STR) \
+  ({ const char *volatile wns = (STR); FUNC (wns); })
+#define WRAP_STRTO(FUNC, STR) \
+  ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
+
+#define CHECK_IS_NAN(TYPE, A)                  \
+  do                                           \
+    {                                          \
+      if (isnan (A))                           \
+       puts ("PASS: " #TYPE " " #A);           \
+      else                                     \
+       {                                       \
+         puts ("FAIL: " #TYPE " " #A);         \
+         result = 1;                           \
+       }                                       \
+    }                                          \
+  while (0)
+
+#define CHECK_SAME_NAN(TYPE, A, B)                     \
+  do                                                   \
+    {                                                  \
+      if (memcmp (&(A), &(B), sizeof (A)) == 0)                \
+       puts ("PASS: " #TYPE " " #A " = " #B);          \
+      else                                             \
+       {                                               \
+         puts ("FAIL: " #TYPE " " #A " = " #B);        \
+         result = 1;                                   \
+       }                                               \
+    }                                                  \
+  while (0)
+
+#define CHECK_DIFF_NAN(TYPE, A, B)                     \
+  do                                                   \
+    {                                                  \
+      if (memcmp (&(A), &(B), sizeof (A)) != 0)                \
+       puts ("PASS: " #TYPE " " #A " != " #B);         \
+      else                                             \
+       {                                               \
+         puts ("FAIL: " #TYPE " " #A " != " #B);       \
+         result = 1;                                   \
+       }                                               \
+    }                                                  \
+  while (0)
+
+/* Cannot test payloads by memcmp for formats where NaNs have padding
+   bits.  */
+#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
+
+#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG)         \
+  do                                                   \
+    {                                                  \
+     TYPE n123 = WRAP_NAN (FUNC, "123");               \
+     CHECK_IS_NAN (TYPE, n123);                                \
+     TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)");       \
+     CHECK_IS_NAN (TYPE, s123);                                \
+     TYPE n456 = WRAP_NAN (FUNC, "456");               \
+     CHECK_IS_NAN (TYPE, n456);                                \
+     TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)");       \
+     CHECK_IS_NAN (TYPE, s456);                                \
+     TYPE n123x = WRAP_NAN (FUNC, "123)");             \
+     CHECK_IS_NAN (TYPE, n123x);                       \
+     TYPE nemp = WRAP_NAN (FUNC, "");                  \
+     CHECK_IS_NAN (TYPE, nemp);                                \
+     TYPE semp = WRAP_STRTO (SFUNC, "NAN()");          \
+     CHECK_IS_NAN (TYPE, semp);                                \
+     TYPE sx = WRAP_STRTO (SFUNC, "NAN");              \
+     CHECK_IS_NAN (TYPE, sx);                          \
+     if (CAN_TEST_EQ (MANT_DIG))                       \
+       CHECK_SAME_NAN (TYPE, n123, s123);              \
+     if (CAN_TEST_EQ (MANT_DIG))                       \
+       CHECK_SAME_NAN (TYPE, n456, s456);              \
+     if (CAN_TEST_EQ (MANT_DIG))                       \
+       CHECK_SAME_NAN (TYPE, nemp, semp);              \
+     if (CAN_TEST_EQ (MANT_DIG))                       \
+       CHECK_SAME_NAN (TYPE, n123x, sx);               \
+     CHECK_DIFF_NAN (TYPE, n123, n456);                        \
+     CHECK_DIFF_NAN (TYPE, n123, nemp);                        \
+     CHECK_DIFF_NAN (TYPE, n123, n123x);               \
+     CHECK_DIFF_NAN (TYPE, n456, nemp);                        \
+     CHECK_DIFF_NAN (TYPE, n456, n123x);               \
+    }                                                  \
+  while (0)
+
+static int
+do_test (void)
+{
+  int result = 0;
+  RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
+  RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
+#ifndef NO_LONG_DOUBLE
+  RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
+#endif
+  return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
+diff --git a/stdlib/Versions b/stdlib/Versions
+index f1777df..60b628d 100644
+--- a/stdlib/Versions
+++ b/stdlib/Versions
+@@ -118,5 +118,6 @@ libc {
+     # Used from other libraries
+     __libc_secure_getenv;
+     __call_tls_dtors;
+    __strtof_nan; __strtod_nan; __strtold_nan;
+   }
+ }
+-- 
+1.9.1

diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch new file mode 100644 index 0000000000..bafb5ea1bf --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2014-9761_2.patch
@@ -0,0 +1,351 @@
	1	From 49a60a3411b86df1e555acfe7e7a80754c5c6c69 Mon Sep 17 00:00:00 2001
	2	From: Sona Sarmadi <sona.sarmadi@enea.com>
	3	Date: Tue, 2 Feb 2016 13:46:37 +0100
	4	Subject: [PATCH] From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17
	5	00:00:00 2001 From: Joseph Myers <joseph@codesourcery.com> Date: Fri, 4 Dec
	6	2015 20:36:28 +0000 Subject: [PATCH] Fix nan functions handling of payload
	7	strings (bug 16961, bug 16962).
	8
	9	The nan, nanf and nanl functions handle payload strings by doing e.g.:
	10
	11	if (tagp[0] != '\0')
	12	{
	13	char buf[6 + strlen (tagp)];
	14	sprintf (buf, "NAN(%s)", tagp);
	15	return strtod (buf, NULL);
	16	}
	17
	18	This is an unbounded stack allocation based on the length of the
	19	argument. Furthermore, if the argument starts with an n-char-sequence
	20	followed by ')', that n-char-sequence is wrongly treated as
	21	significant for determining the payload of the resulting NaN, when ISO
	22	C says the call should be equivalent to strtod ("NAN", NULL), without
	23	being affected by that initial n-char-sequence. This patch fixes both
	24	those problems by using the __strtod_nan etc. functions recently
	25	factored out of strtod etc. for that purpose, with those functions
	26	being exported from libc at version GLIBC_PRIVATE.
	27
	28	Tested for x86_64, x86, mips64 and powerpc.
	29
	30	[BZ #16961]
	31	[BZ #16962]
	32	* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
	33	string on the stack for strtod.
	34	* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
	35	a string on the stack for strtof.
	36	* math/s_nanl.c (__nanl): Use __strtold_nan instead of
	37	constructing a string on the stack for strtold.
	38	* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
	39	__strtold_nan to GLIBC_PRIVATE.
	40	* math/test-nan-overflow.c: New file.
	41	* math/test-nan-payload.c: Likewise.
	42	* math/Makefile (tests): Add test-nan-overflow and
	43	test-nan-payload.
	44
	45	Upstream-Status: Backport
	46	CVE: CVE-2014-9761 patch #2
	47	[Yocto # 8980]
	48
	49	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
	50
	51	Signed-off-by: Armin Kuster <akuster@mvista.com>
	52	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	53	---
	54	math/Makefile \| 4 +-
	55	math/s_nan.c \| 9 +---
	56	math/s_nanf.c \| 9 +---
	57	math/s_nanl.c \| 9 +---
	58	math/test-nan-overflow.c \| 66 +++++++++++++++++++++++++
	59	math/test-nan-payload.c \| 122 +++++++++++++++++++++++++++++++++++++++++++++++
	60	stdlib/Versions \| 1 +
	61	7 files changed, 195 insertions(+), 25 deletions(-)
	62	create mode 100644 math/test-nan-overflow.c
	63	create mode 100644 math/test-nan-payload.c
	64
	65	diff --git a/math/Makefile b/math/Makefile
	66	index 05250c0..acb0007 100644
	67	--- a/math/Makefile
	68	+++ b/math/Makefile
	69	@@ -92,7 +92,9 @@ tests = test-matherr test-fenv atest-exp atest-sincos atest-exp2 basic-test \
	70	test-misc test-fpucw test-fpucw-ieee tst-definitions test-tgmath \
	71	test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
	72	test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
	73	- test-fenv-tls test-fenv-preserve test-fenv-return $(tests-static)
	74	+ test-fenv-tls test-fenv-preserve test-fenv-return \
	75	+ test-nan-overflow test-nan-payload \
	76	+ $(tests-static)
	77	tests-static = test-fpucw-static test-fpucw-ieee-static
	78	# We do the `long double' tests only if this data type is available and
	79	# distinct from `double'.
	80	diff --git a/math/s_nan.c b/math/s_nan.c
	81	index c01085f..3dc9f77 100644
	82	--- a/math/s_nan.c
	83	+++ b/math/s_nan.c
	84	@@ -28,14 +28,7 @@
	85	double
	86	__nan (const char *tagp)
	87	{
	88	- if (tagp[0] != '\0')
	89	- {
	90	- char buf[6 + strlen (tagp)];
	91	- sprintf (buf, "NAN(%s)", tagp);
	92	- return strtod (buf, NULL);
	93	- }
	94	-
	95	- return NAN;
	96	+ return __strtod_nan (tagp, NULL, 0);
	97	}
	98	weak_alias (__nan, nan)
	99	#ifdef NO_LONG_DOUBLE
	100	diff --git a/math/s_nanf.c b/math/s_nanf.c
	101	index a16fdbf..103fb8c 100644
	102	--- a/math/s_nanf.c
	103	+++ b/math/s_nanf.c
	104	@@ -28,13 +28,6 @@
	105	float
	106	__nanf (const char *tagp)
	107	{
	108	- if (tagp[0] != '\0')
	109	- {
	110	- char buf[6 + strlen (tagp)];
	111	- sprintf (buf, "NAN(%s)", tagp);
	112	- return strtof (buf, NULL);
	113	- }
	114	-
	115	- return NAN;
	116	+ return __strtof_nan (tagp, NULL, 0);
	117	}
	118	weak_alias (__nanf, nanf)
	119	diff --git a/math/s_nanl.c b/math/s_nanl.c
	120	index 3769f17..3ccd3bc 100644
	121	--- a/math/s_nanl.c
	122	+++ b/math/s_nanl.c
	123	@@ -28,13 +28,6 @@
	124	long double
	125	__nanl (const char *tagp)
	126	{
	127	- if (tagp[0] != '\0')
	128	- {
	129	- char buf[6 + strlen (tagp)];
	130	- sprintf (buf, "NAN(%s)", tagp);
	131	- return strtold (buf, NULL);
	132	- }
	133	-
	134	- return NAN;
	135	+ return __strtold_nan (tagp, NULL, 0);
	136	}
	137	weak_alias (__nanl, nanl)
	138	diff --git a/math/test-nan-overflow.c b/math/test-nan-overflow.c
	139	new file mode 100644
	140	index 0000000..f56aaf3
	141	--- /dev/null
	142	+++ b/math/test-nan-overflow.c
	143	@@ -0,0 +1,66 @@
	144	+/* Test nan functions stack overflow (bug 16962).
	145	+ Copyright (C) 2015 Free Software Foundation, Inc.
	146	+ This file is part of the GNU C Library.
	147	+
	148	+ The GNU C Library is free software; you can redistribute it and/or
	149	+ modify it under the terms of the GNU Lesser General Public
	150	+ License as published by the Free Software Foundation; either
	151	+ version 2.1 of the License, or (at your option) any later version.
	152	+
	153	+ The GNU C Library is distributed in the hope that it will be useful,
	154	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
	155	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	156	+ Lesser General Public License for more details.
	157	+
	158	+ You should have received a copy of the GNU Lesser General Public
	159	+ License along with the GNU C Library; if not, see
	160	+ <http://www.gnu.org/licenses/>. */
	161	+
	162	+#include <math.h>
	163	+#include <stdio.h>
	164	+#include <string.h>
	165	+#include <sys/resource.h>
	166	+
	167	+#define STACK_LIM 1048576
	168	+#define STRING_SIZE (2 * STACK_LIM)
	169	+
	170	+static int
	171	+do_test (void)
	172	+{
	173	+ int result = 0;
	174	+ struct rlimit lim;
	175	+ getrlimit (RLIMIT_STACK, &lim);
	176	+ lim.rlim_cur = STACK_LIM;
	177	+ setrlimit (RLIMIT_STACK, &lim);
	178	+ char *nanstr = malloc (STRING_SIZE);
	179	+ if (nanstr == NULL)
	180	+ {
	181	+ puts ("malloc failed, cannot test");
	182	+ return 77;
	183	+ }
	184	+ memset (nanstr, '0', STRING_SIZE - 1);
	185	+ nanstr[STRING_SIZE - 1] = 0;
	186	+#define NAN_TEST(TYPE, FUNC) \
	187	+ do \
	188	+ { \
	189	+ char *volatile p = nanstr; \
	190	+ volatile TYPE v = FUNC (p); \
	191	+ if (isnan (v)) \
	192	+ puts ("PASS: " #FUNC); \
	193	+ else \
	194	+ { \
	195	+ puts ("FAIL: " #FUNC); \
	196	+ result = 1; \
	197	+ } \
	198	+ } \
	199	+ while (0)
	200	+ NAN_TEST (float, nanf);
	201	+ NAN_TEST (double, nan);
	202	+#ifndef NO_LONG_DOUBLE
	203	+ NAN_TEST (long double, nanl);
	204	+#endif
	205	+ return result;
	206	+}
	207	+
	208	+#define TEST_FUNCTION do_test ()
	209	+#include "../test-skeleton.c"
	210	diff --git a/math/test-nan-payload.c b/math/test-nan-payload.c
	211	new file mode 100644
	212	index 0000000..358ff71
	213	--- /dev/null
	214	+++ b/math/test-nan-payload.c
	215	@@ -0,0 +1,122 @@
	216	+/* Test nan functions payload handling (bug 16961).
	217	+ Copyright (C) 2015 Free Software Foundation, Inc.
	218	+ This file is part of the GNU C Library.
	219	+
	220	+ The GNU C Library is free software; you can redistribute it and/or
	221	+ modify it under the terms of the GNU Lesser General Public
	222	+ License as published by the Free Software Foundation; either
	223	+ version 2.1 of the License, or (at your option) any later version.
	224	+
	225	+ The GNU C Library is distributed in the hope that it will be useful,
	226	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
	227	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	228	+ Lesser General Public License for more details.
	229	+
	230	+ You should have received a copy of the GNU Lesser General Public
	231	+ License along with the GNU C Library; if not, see
	232	+ <http://www.gnu.org/licenses/>. */
	233	+
	234	+#include <float.h>
	235	+#include <math.h>
	236	+#include <stdio.h>
	237	+#include <stdlib.h>
	238	+#include <string.h>
	239	+
	240	+/* Avoid built-in functions. */
	241	+#define WRAP_NAN(FUNC, STR) \
	242	+ ({ const char *volatile wns = (STR); FUNC (wns); })
	243	+#define WRAP_STRTO(FUNC, STR) \
	244	+ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
	245	+
	246	+#define CHECK_IS_NAN(TYPE, A) \
	247	+ do \
	248	+ { \
	249	+ if (isnan (A)) \
	250	+ puts ("PASS: " #TYPE " " #A); \
	251	+ else \
	252	+ { \
	253	+ puts ("FAIL: " #TYPE " " #A); \
	254	+ result = 1; \
	255	+ } \
	256	+ } \
	257	+ while (0)
	258	+
	259	+#define CHECK_SAME_NAN(TYPE, A, B) \
	260	+ do \
	261	+ { \
	262	+ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
	263	+ puts ("PASS: " #TYPE " " #A " = " #B); \
	264	+ else \
	265	+ { \
	266	+ puts ("FAIL: " #TYPE " " #A " = " #B); \
	267	+ result = 1; \
	268	+ } \
	269	+ } \
	270	+ while (0)
	271	+
	272	+#define CHECK_DIFF_NAN(TYPE, A, B) \
	273	+ do \
	274	+ { \
	275	+ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
	276	+ puts ("PASS: " #TYPE " " #A " != " #B); \
	277	+ else \
	278	+ { \
	279	+ puts ("FAIL: " #TYPE " " #A " != " #B); \
	280	+ result = 1; \
	281	+ } \
	282	+ } \
	283	+ while (0)
	284	+
	285	+/* Cannot test payloads by memcmp for formats where NaNs have padding
	286	+ bits. */
	287	+#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
	288	+
	289	+#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
	290	+ do \
	291	+ { \
	292	+ TYPE n123 = WRAP_NAN (FUNC, "123"); \
	293	+ CHECK_IS_NAN (TYPE, n123); \
	294	+ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
	295	+ CHECK_IS_NAN (TYPE, s123); \
	296	+ TYPE n456 = WRAP_NAN (FUNC, "456"); \
	297	+ CHECK_IS_NAN (TYPE, n456); \
	298	+ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
	299	+ CHECK_IS_NAN (TYPE, s456); \
	300	+ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
	301	+ CHECK_IS_NAN (TYPE, n123x); \
	302	+ TYPE nemp = WRAP_NAN (FUNC, ""); \
	303	+ CHECK_IS_NAN (TYPE, nemp); \
	304	+ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
	305	+ CHECK_IS_NAN (TYPE, semp); \
	306	+ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
	307	+ CHECK_IS_NAN (TYPE, sx); \
	308	+ if (CAN_TEST_EQ (MANT_DIG)) \
	309	+ CHECK_SAME_NAN (TYPE, n123, s123); \
	310	+ if (CAN_TEST_EQ (MANT_DIG)) \
	311	+ CHECK_SAME_NAN (TYPE, n456, s456); \
	312	+ if (CAN_TEST_EQ (MANT_DIG)) \
	313	+ CHECK_SAME_NAN (TYPE, nemp, semp); \
	314	+ if (CAN_TEST_EQ (MANT_DIG)) \
	315	+ CHECK_SAME_NAN (TYPE, n123x, sx); \
	316	+ CHECK_DIFF_NAN (TYPE, n123, n456); \
	317	+ CHECK_DIFF_NAN (TYPE, n123, nemp); \
	318	+ CHECK_DIFF_NAN (TYPE, n123, n123x); \
	319	+ CHECK_DIFF_NAN (TYPE, n456, nemp); \
	320	+ CHECK_DIFF_NAN (TYPE, n456, n123x); \
	321	+ } \
	322	+ while (0)
	323	+
	324	+static int
	325	+do_test (void)
	326	+{
	327	+ int result = 0;
	328	+ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
	329	+ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
	330	+#ifndef NO_LONG_DOUBLE
	331	+ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
	332	+#endif
	333	+ return result;
	334	+}
	335	+
	336	+#define TEST_FUNCTION do_test ()
	337	+#include "../test-skeleton.c"
	338	diff --git a/stdlib/Versions b/stdlib/Versions
	339	index f1777df..60b628d 100644
	340	--- a/stdlib/Versions
	341	+++ b/stdlib/Versions
	342	@@ -118,5 +118,6 @@ libc {
	343	# Used from other libraries
	344	__libc_secure_getenv;
	345	__call_tls_dtors;
	346	+ __strtof_nan; __strtod_nan; __strtold_nan;
	347	}
	348	}
	349	--
	350	1.9.1
	351