overflow in LIMBS_PER_DIGIT_IN_BASE
Zimmermann Paul
Paul.Zimmermann at inria.fr
Tue Dec 17 07:51:34 UTC 2013
with ABI=32, the macro LIMBS_PER_DIGIT_IN_BASE might overflow for large input
strings, as demonstrated by the following program: mp_bases[b].log2b is
3196634803, thus with ndigits=721334514 we have
_ph = floor(3196634803*ndigits/2^32) = 536870912 = 2^29, then 8*_ph = 2^32
overflows to 0, and the return value is 2. As a consequence, this leads to
an out-of-bound write and the program aborts (here I've added some debug
statements to print intermediate values):
tarte% ./a.out
enter mpz_set_str, base=62
_ph=536870912
xsize=2
*** glibc detected *** ./a.out: free(): invalid next size (normal): 0x08314cb8 ***
Paul
PS: I guess the same happens with ABI=64, but with so large input strings that
it would be difficult to reproduce on a real computer.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "gmp.h"
#define N 721334514
#define B 62
main()
{
unsigned char *str;
mpz_t z;
str = malloc (N + 1);
memset (str, '0' + (B - 1), N);
str[N] = '\0';
mpz_init (z);
mpz_set_str (z, str, B);
mpz_clear (z);
}
More information about the gmp-bugs
mailing list