gmp_snprintf tries to allocate 18 EB on long strings
Vincent Lefevre
vincent at vinc17.net
Tue May 23 19:34:20 UTC 2017
Consider the following program:
#include <stdio.h>
#include <gmp.h>
int main(void)
{
int r;
long n = -1;
r = gmp_snprintf (NULL, 0, "%2147483600s%100s%ln", "", "", &n);
printf ("%d %ld\n", r, n);
return 0;
}
On my Debian/unstable x86_64 machine (GMP 6.1.2 provided by the Debian
package), I get after 273 seconds:
GNU MP: Cannot allocate memory (size=18446744071562067968)
Wow! 18 EB! Actually this is close to 2^64. I suspect a conversion
of a negative value to size_t as a consequence of an integer
overflow.
As a comparison, if I just use snprintf (glibc function), I get the
result -1 -1 after 12 seconds (the first value must be negative,
the second one may be regarded as unspecified due to the EOVERFLOW
failure).
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the gmp-bugs
mailing list