integer overflow in mpz/clear.c of GMP 5.1.3

Torbjorn Granlund tg at
Fri Jan 17 15:49:29 UTC 2014

Marc Glisse <marc.glisse at> writes:

  On Fri, 17 Jan 2014, Vincent Lefevre wrote:
  > mpz/clear.c contains:
  >  (*__gmp_free_func) (PTR (m), ALLOC (m) * BYTES_PER_MP_LIMB);
  > but both terms of the multiplication have int type.
  > There's a missing cast to size_t.
  > Other clear.c files may be affected by the same problem.
  Makes sense (I haven't looked).
GMP only supports 2^32-eps *bits* for 32bit machines and 2^37-eps bits
for 64bit machines.  An allocation counted in bytes will therefore not
exceed 2^31-1.  The way the bits limits are enforced is via the bytes
allocation, in most places!

But adding the casts won't hurt.

Please encrypt, key id 0xC8601622

More information about the gmp-bugs mailing list