Restrict sample values of the Laplace distribution to int64_t.

This helps avoid undefined behavior from casting big double values to
int64_t. Fixes #14090.

1 files changed, 15 insertions, 5 deletions

diff --git a/src/common/util.c b/src/common/util.c
index f7baab0791..be866a5fe6 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -527,15 +527,25 @@ round_int64_to_next_multiple_of(int64_t number, int64_t divisor)
 
 /** Transform a random value <b>p</b> from the uniform distribution in
  * [0.0, 1.0[ into a Laplace distributed value with location parameter
- * <b>mu</b> and scale parameter <b>b</b> in [-Inf, Inf[. */
-double
+ * <b>mu</b> and scale parameter <b>b</b>. Truncate the final result
+ * to be an integer in [INT64_MIN, INT64_MAX]. */
+int64_t
 sample_laplace_distribution(double mu, double b, double p)
 {
+  double result;
+
   tor_assert(p >= 0.0 && p < 1.0);
   /* This is the "inverse cumulative distribution function" from:
    * http://en.wikipedia.org/wiki/Laplace_distribution */
-  return mu - b * (p > 0.5 ? 1.0 : -1.0)
-                * tor_mathlog(1.0 - 2.0 * fabs(p - 0.5));
+  result =  mu - b * (p > 0.5 ? 1.0 : -1.0)
+                   * tor_mathlog(1.0 - 2.0 * fabs(p - 0.5));
+
+  if (result >= INT64_MAX)
+    return INT64_MAX;
+  else if (result <= INT64_MIN)
+    return INT64_MIN;
+  else
+    return (int64_t) result;
 }
 
 /** Add random noise between INT64_MIN and INT64_MAX coming from a
@@ -546,10 +556,10 @@ int64_t
 add_laplace_noise(int64_t signal, double random, double delta_f,
                   double epsilon)
 {
-  /* cast to int64_t intended */
   int64_t noise = sample_laplace_distribution(
                0.0, /* just add noise, no further signal */
                delta_f / epsilon, random);
+
   if (noise > 0 && INT64_MAX - noise < signal)
     return INT64_MAX;
   else if (noise < 0 && INT64_MIN - noise > signal)