gmp_printf bug?

Torbjorn Granlund tg at
Wed Jul 20 13:05:18 CEST 2011

Vincent Lefevre <vincent at> writes:

  On 2011-07-20 10:33:25 +0200, Paul Zimmermann wrote:
  > Maybe this is a glibc bug, anyway you can now isolate the problem,
  > and report it to the glibc developers if needed.
  When I did the test (see MPFR mailing-list), it was on my Mac OS X
The bug is in GMP.  It related to some calculations on the 64-bit
exponent using the 53 bits of accuracy of IEEE double.  This leads to
rounding, making some internal sizes slightly too large, which in turn
causes a one-byte stack smash, overwriting the least sigificant byte of
a saved register, which contains a pointer, later to be passed to

They stack layout depends on GCC version and optimisation level.  That
made it hard to reproduce.

I have no fix yet.  The problem is in mpf/get_str.c.  I expect similar
problems to appear in more places that uses the mp_bases[] table, but
these extreme exponents.

A possible aproach would be to store the chars_per_bit_exactly field as
an mp_limb_t (which always >= size_t) and use umul_ppmm and keep the
high word.  There are a couple of problems with that approach, though.

The integer part of GMP is safe.  We never promise more than 2^50 bits
even using mpn (and much less than that when using mpz).


More information about the gmp-bugs mailing list