integer overflow in mpz/clear.c of GMP 5.1.3

Torbjorn Granlund tg at gmplib.org
Sun Jan 19 14:02:18 UTC 2014


Vincent Lefevre <vincent at vinc17.net> writes:

  I know. That's what I've said in my bug report! The printf outputs
  the value computed by GMP, to show the bug:
  
    (*__gmp_free_func) (PTR (m), ALLOC (m) * BYTES_PER_MP_LIMB);
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  
  It was not clear, but I added the printf in the program above to make
  sure that the bug wasn't in MPFR's tests_free() function.
  
It turned out that that bug (with variations) had more serious
implications than computing an usually unused __gmp_free_func argument.
Similar computations were used for __gmp_allocate_func arguments in a
handful of places.

I fixed all places I could find.  Additional review would be welcome.

I have long wanted a machine with >= 512 Gibyte of RAM for regular GMP
testing.  Then we need to add optional huge operands testing to the
testsuite.  It needs to be optional since we cannot require every user
to have sufficient memory.  I expect to trigger a handful of GMP bugs
related to 32-bit bit counts and byte counts.

We expect mpz, mpq, mpf to allow 2^31-1 limbs, while mpn should allow at
least 2^50 bits.  Mark Sofroniou fixed some mpn bugs for this release,
but mpn has also not been thoroughly tested for huge operands.


Torbjörn


More information about the gmp-bugs mailing list