Stack overflow in gmp_get_str when passed a big number

Abdulaziz Ghuloum aghuloum at gmail.com
Thu Oct 2 00:48:12 CEST 2008 

Hello,

My Scheme compiler (Ikarus Scheme) uses gmp for its bignums.  It uses
gmp_get_str to convert bignums to base-10 strings.  It also crashes
when converting very large numbers.  I have seen the problem under a
Linux (2.6.18) machine with 2GB of ram, but it runs fine under OS X
(10.4) with the same amount of ram.  Attached is a small program that
exhibits the problem.  Let me know if I can provide more information
and please let me know if there is a workaround (other that writing
my own conversion routine).  Thanks.

Aziz,,,



#include <gmp.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
int main(int argc, char** argv){
   long bits = 43112609;
   long limbs = (bits + mp_bits_per_limb - 1) / mp_bits_per_limb;
   long size = limbs * sizeof(mp_limb_t);
   mp_limb_t* num = malloc(size);
   assert(num);
   memset(num, -1, size);
   long strlen = 1 + limbs * ((mp_bits_per_limb == 32) ? 10 : 20);
   unsigned char* str = malloc(strlen);
   assert(str);
   mpn_get_str(str, 10, num, limbs);
   return 0;
}


$ gcc -Wall -o tst tst.c -lgmp
$ ./tst
Segmentation fault
$ gdb ./tst
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x0339a923 in __gmpn_tdiv_qr (qp=0xbf6cfbb0, rp=0xbf313020, qxn=0,
     np=0xb7aa3008, nn=1347270, dp=0xb673dba8, dn=979677) at  
tdiv_qr.c:385
385     tdiv_qr.c: No such file or directory.
         in tdiv_qr.c
(gdb) where
#0  0x0339a923 in __gmpn_tdiv_qr (qp=0xbf6cfbb0, rp=0xbf313020, qxn=0,
     np=0xb7aa3008, nn=1347270, dp=0xb673dba8, dn=979677) at  
tdiv_qr.c:385
#1  0x03396fa7 in mpn_dc_get_str (str=0xb6dc9008 "", len=0,  
up=0xb7aa3008,
     un=<value optimized out>, powtab=0x148ec6) at get_str.c:354
#2  0x0339722a in __gmpn_get_str (str=0xb6dc9008 "", base=10,  
up=0xb7aa3008,
     un=1347270) at get_str.c:495
#3  0x08048633 in main ()
(gdb) print/x $pc
$1 = 0x339a923
(gdb) disassemble $pc $pc+20
Dump of assembler code from 0x339a923 to 0x339a937:
0x0339a923 <__gmpn_tdiv_qr+2387>:       mov    %ecx,0x10(%esp)
0x0339a927 <__gmpn_tdiv_qr+2391>:       mov    0xffffff78(%ebp),%ecx
0x0339a92d <__gmpn_tdiv_qr+2397>:       mov    %eax,0xc(%esp)
0x0339a931 <__gmpn_tdiv_qr+2401>:       mov    0xffffff6c(%ebp),%eax
End of assembler dump.

More information about the gmp-bugs mailing list