Bug in mpz_out_str...
wraithx at morpheus.net
Thu Nov 11 04:46:17 CET 2010
I have been looking at mpz_out_str recently, and found what appears to be a bug
(or logical flaw) in the code. I am looking at out_str.c in the mpz directory
of GMP 5.0.1. When checking on the base, bases >= 0 are handled correctly, but
bases < 0 have no check to make sure they are "in bounds". If you pass a base
that is < -36, you can get undefined behavior since num_to_text is only 36
characters long, and a call to num_to_text[str[i]] can run off the end of this
character array. Also, there is no check to handle the case when base = 1 or
-1. When I ran the following program with base = 1 (or -1), the program never
completed, it just hung.
Here is an example program that on my system output a null character into the
int main(int argc, char* argv)
char filename = "output.txt";
if ((output = fopen(filename, "w")) == NULL)
printf(" ***ERROR***: Unable to open %s\n", filename);
}/* end if */
mpz_out_str(output, -60, num);
if (fclose(output) != 0)
printf(" ***ERROR***: Error closing %s\n", filename);
I hope this is enough information for a bug report. Please let me know if you
need any further details or clarification of the above. Thank you for your time.
More information about the gmp-bugs