Bug in mpz_out_str...

David Cleaver wraithx at morpheus.net
Thu Nov 11 04:46:17 CET 2010


I have been looking at mpz_out_str recently, and found what appears to be a bug 
(or logical flaw) in the code.  I am looking at out_str.c in the mpz directory 
of GMP 5.0.1.  When checking on the base, bases >= 0 are handled correctly, but 
bases < 0 have no check to make sure they are "in bounds".  If you pass a base 
that is < -36, you can get undefined behavior since num_to_text is only 36 
characters long, and a call to num_to_text[str[i]] can run off the end of this 
character array.  Also, there is no check to handle the case when base = 1 or 
-1.  When I ran the following program with base = 1 (or -1), the program never 
completed, it just hung.

Here is an example program that on my system output a null character into the 
output file:

#include <stdio.h>
#include <gmp.h>

int main(int argc, char* argv[])
   mpz_t num;
   char filename[] = "output.txt";
   FILE *output;

   if ((output = fopen(filename, "w")) == NULL)
     printf(" ***ERROR***: Unable to open %s\n", filename);
     return 1;
   }/* end if */

   mpz_init_set_ui(num, 43112609);

   mpz_out_str(output, -60, num);

   if (fclose(output) != 0)
     printf(" ***ERROR***: Error closing %s\n", filename);


   return 0;

I hope this is enough information for a bug report.  Please let me know if you 
need any further details or clarification of the above.  Thank you for your time.

-David C.

More information about the gmp-bugs mailing list