integer overflow in mpz/clear.c of GMP 5.1.3
tg at gmplib.org
Fri Jan 17 15:49:29 UTC 2014
Marc Glisse <marc.glisse at inria.fr> writes:
On Fri, 17 Jan 2014, Vincent Lefevre wrote:
> mpz/clear.c contains:
> (*__gmp_free_func) (PTR (m), ALLOC (m) * BYTES_PER_MP_LIMB);
> but both terms of the multiplication have int type.
> There's a missing cast to size_t.
> Other clear.c files may be affected by the same problem.
Makes sense (I haven't looked).
GMP only supports 2^32-eps *bits* for 32bit machines and 2^37-eps bits
for 64bit machines. An allocation counted in bytes will therefore not
exceed 2^31-1. The way the bits limits are enforced is via the bytes
allocation, in most places!
But adding the casts won't hurt.
Please encrypt, key id 0xC8601622
More information about the gmp-bugs