Use NetBSD fix for CVE-2009-0689 security vulnerability.

* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
	size_t, as in latest NetBSD.
	* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
	value 15.
	* libc/stdlib/mprec.c (_Kmax): Don't define here.  Explain why.

newlib/ChangeLog

@@ -1,3 +1,12 @@
+2009-11-23  Corinna Vinschen  <corinna@vinschen.de>
+
+	Use NetBSD fix for CVE-2009-0689 security vulnerability.
+	* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
+	size_t, as in latest NetBSD.
+	* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
+	value 15.
+	* libc/stdlib/mprec.c (_Kmax): Don't define here.  Explain why.
+
 2009-11-20  Nick Clifton  <nickc@redhat.com>
 
 	* libc/machine/rx/strncat.S (_strncat): Replace use of r6

newlib/libc/include/sys/reent.h

@@ -800,6 +800,11 @@ struct _reent
 
 #endif /* !_REENT_SMALL */
 
+/* This value is used in stdlib/misc.c.  reent/reent.c has to know it
+   as well to make sure the freelist is correctly free'd.  Therefore
+   we define it here, rather than in stdlib/misc.c, as before. */
+#define _Kmax (sizeof (size_t) << 3)
+
 /*
  * All references to struct _reent are via this pointer.
  * Internally, newlib routines that need to reference it should use _REENT.

newlib/libc/reent/reent.c

@@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr),
       if (_REENT_MP_FREELIST(ptr))
 	{
 	  int i;
-	  for (i = 0; i < 15 /* _Kmax */; i++) 
+	  for (i = 0; i < _Kmax; i++) 
 	    {
 	      struct _Bigint *thisone, *nextone;
 	

newlib/libc/stdlib/mprec.c

@@ -86,8 +86,12 @@
 #include <reent.h>
 #include "mprec.h"
 
-/* reent.c knows this value */
+/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD.
+   The old value of 15 was wrong and made newlib vulnerable against buffer
+   overrun attacks (CVE-2009-0689), same as other implementations of gdtoa
+   based on BSD code.
 #define _Kmax 15
+*/
 
 _Bigint *
 _DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k)