Segmentation fault with mpz_inp_raw on gcc45
Vincent Lefevre
vincent at vinc17.net
Wed Sep 15 15:38:19 UTC 2021
On 2021-09-15 17:34:01 +0200, Vincent Lefevre wrote:
> On 2021-09-15 17:05:42 +0200, Paul Zimmermann wrote:
> > sorry the test_dummy2.save is attached. It was generated by (under /bin/sh,
> > not /bin/bash):
> >
> > echo -e "\n\r\n\r# this is a comment line and should be ignored" > test_dummy2.save
>
> I can reproduce the segfault only with a 32-bit ABI.
>
> read(3, "-e \n\r\n\r# this is a comment line "..., 4096) = 54
> mmap2(NULL, 224735232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xea604000
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xca604012} ---
>
> If I understand correctly, the read system call comes from the initial
> fread() to get the size, and the mmap2 comes from the allocation.
In mpz/inp_raw.c, I think that abs_csize*8 yields an integer overflow
on large sizes.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the gmp-bugs
mailing list