Segmentation fault with mpz_inp_raw on gcc45

Torbjörn Granlund tg at gmplib.org
Sat Sep 18 08:07:31 UTC 2021


  Yes, but, should we really consider it only a temporary overflow?
  Does GMP support mpz numbers with a bit-lenght that overflows?

GMP does not support such sizes.  My fix avoided the overflow, allowing
GMP overflow detection in the (re)allocation functions.

It makes sense from a bookkeeping overhead perspective to let the
(re)allocation handle overflow; we get it for free without any
calculation.

  Then, maybe something like the following could do?

  --- a/mpz/inp_raw.c     Tue Sep 14 19:05:51 2021 +0200
  +++ b/mpz/inp_raw.c     Fri Sep 17 18:49:14 2021 +0200
  @@ -87,9 +87,11 @@
       csize = size - 0x80000000u - 0x80000000u;

     abs_csize = ABS (csize);
  +  if (abs_csize > ~(mp_bitcnt_t) 0 / 8)
  +    return 0; /* Bit size overflows */

     /* round up to a multiple of limbs */
  -  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
  +  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);

     if (abs_xsize != 0)
       {

I suppose that, in this case, as my fix has problems with nails, this
might be a better patch.  An UNLIKELY(...) might have a place here,
though.

I took a very quick lock at other uses of BITS_TO_LIMBS and think we
might have one more place where scalar overflow might occur:
mpz/import.c.  There might be more places.

-- 
Torbjörn
Please encrypt, key id 0xC8601622


More information about the gmp-bugs mailing list