out-of-bound write

[Torbjorn Granlund]

Vincent Lefevre <vincent at vinc17.net> writes:

  Indeed. This is more or less equivalent to saying that this case
  has undefined behavior. Either leading zeros should be forbidden,
  or a bound on the amount of space should be documented. IMHO, for
  a fixed string size (and fixed base), the documented bound should
  be an increasing function of the value. For instance, it could be
  documented that the size in the case of leading zeros is bounded
  by the 1 + exact size of B^(STRSIZE-1). Is this the case with the
  current code?

Suggested new docs:

@deftypefun mp_size_t mpn_set_str (mp_limb_t *@var{rp}, const unsigned char *@var{str}, size_t @var{strsize}, int @var{base})
Convert bytes @{@var{str}, at var{strsize}@} in the given @var{base} to limbs at
@var{rp}.

@math{@var{str}[0]} is the most significant byte and
@math{@var{str}[@var{strsize}-1]} is the least significant.  Each byte should
be a value in the range 0 to @math{@var{base}-1}, not an ASCII character.
@var{base} can vary from 2 to 256.

The area at @var{rp} has to have space for the largest possible number
represented by a number number with @var{strsize} digits in the chosen base,
plus one extra limb.

The return value is the number of valid limbs written to @var{rp}.  If the input
string had no leading zeros, the value at rp will also have no leading zeros.

If the most significant input byte is zero then there may be high zero limbs
written to @var{rp} and included in the return value.

@var{strsize} must be at least 1, and no overlap is permitted between
@{@var{str}, at var{strsize}@} and the result at @var{rp}.
@end deftypefun


Torbjörn