3 files changed, 11 insertions, 2 deletions

diff --git a/newlib/libc/include/sys/reent.h b/newlib/libc/include/sys/reent.h
index 60eb208a7..ed3d9aa01 100644
--- a/newlib/libc/include/sys/reent.h
+++ b/newlib/libc/include/sys/reent.h
@@ -800,6 +800,11 @@ struct _reent
 
 #endif /* !_REENT_SMALL */
 
+/* This value is used in stdlib/misc.c.  reent/reent.c has to know it
+   as well to make sure the freelist is correctly free'd.  Therefore
+   we define it here, rather than in stdlib/misc.c, as before. */
+#define _Kmax (sizeof (size_t) << 3)
+
 /*
  * All references to struct _reent are via this pointer.
  * Internally, newlib routines that need to reference it should use _REENT.
diff --git a/newlib/libc/reent/reent.c b/newlib/libc/reent/reent.c
index 3c9de71f7..63812db83 100644
--- a/newlib/libc/reent/reent.c
+++ b/newlib/libc/reent/reent.c
@@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr),
       if (_REENT_MP_FREELIST(ptr))
 	{
 	  int i;
-	  for (i = 0; i < 15 /* _Kmax */; i++) 
+	  for (i = 0; i < _Kmax; i++) 
 	    {
 	      struct _Bigint *thisone, *nextone;
 	
diff --git a/newlib/libc/stdlib/mprec.c b/newlib/libc/stdlib/mprec.c
index 6e84ece5b..2b982ef55 100644
--- a/newlib/libc/stdlib/mprec.c
+++ b/newlib/libc/stdlib/mprec.c
@@ -86,8 +86,12 @@
 #include <reent.h>
 #include "mprec.h"
 
-/* reent.c knows this value */
+/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD.
+   The old value of 15 was wrong and made newlib vulnerable against buffer
+   overrun attacks (CVE-2009-0689), same as other implementations of gdtoa
+   based on BSD code.
 #define _Kmax 15
+*/
 
 _Bigint *
 _DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k)