out-of-bound write

Torbjorn Granlund tg at gmplib.org
Wed Dec 18 17:34:29 UTC 2013 

Vincent Lefevre <vincent at vinc17.net> writes:

  On 2013-12-17 20:05:47 +0100, Torbjorn Granlund wrote:
  > The area at @var{rp} has to have space for the largest possible number
  > represented by a number number with @var{strsize} digits in the chosen base,
                     ^^^^^^^^^^^^^
Thanks, I now remove a number of "number".

  > plus one extra limb.
  > 
  > The return value is the number of valid limbs written to @var{rp}.  If the input
  > string had no leading zeros, the value at rp will also have no leading zeros.
                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  
  Is this true? In Paul's example (16 Dec 2013 17:52:52 +0100),
  str has no leading zeros, but the byte after the most significant
  non-zero byte of rp has been set to 0.

It is true, I think.  The allocation >= the actual size, where the
actual size is the function return value.

Current text:


@deftypefun mp_size_t mpn_set_str (mp_limb_t *@var{rp}, const unsigned char *@var{str}, size_t @var{strsize}, int @var{base})
Convert bytes @{@var{str}, at var{strsize}@} in the given @var{base} to limbs at
@var{rp}.

@math{@var{str}[0]} is the most significant byte and
@math{@var{str}[@var{strsize}-1]} is the least significant.  Each byte should
be a value in the range 0 to @math{@var{base}-1}, not an ASCII character.
@var{base} can vary from 2 to 256.

The area at @var{rp} has to have space for the largest possible number with
@var{strsize} digits in the chosen base, plus one extra limb.

The return value is the number of valid limbs written to @var{rp}.  If the input
string had no leading zeros, the value at rp will also have no leading zeros.
Note that this does not affect the @var{rp} allocation requirements.

If the most significant input byte is zero then there may be high zero limbs
written to @var{rp} and included in the return value.

@var{strsize} must be at least 1, and no overlap is permitted between
@{@var{str}, at var{strsize}@} and the result at @var{rp}.
@end deftypefun



Torbjörn

More information about the gmp-bugs mailing list