From jallison at ciq.com  Mon Mar 16 17:32:09 2026
From: jallison at ciq.com (Jeremy Allison)
Date: Mon, 16 Mar 2026 09:32:09 -0700
Subject: Two use-after-free bugs.
Message-ID: <CADfv6KbLLUWD+DS_FkM24Xb5GdaiWXdgJisTBtnQru6k76fUbw@mail.gmail.com>

Bug #1:
--------------------------------------------------------------------------------
In mpf/out_str.c:mpf_get_str() at line 78 it calls mpf_get_str (str,
&exp, base, n_digits, op);

76 str = (char ) TMP_ALLOC (n_digits + 2); / extra for minus sign and \0 */
77
78 mpf_get_str (str, &exp, base, n_digits, op);
79 n_digits = strlen (str);

mpf_get_str() can realloc the str pointer passed into it, so the use
of str in strlen() on line 79 can be pointing at freed memory.

312 /* If the string was alloced then resize it down to the actual space
313 required. */
314 if (alloc_size != 0)
315 {
316 __GMP_REALLOCATE_FUNC_MAYBE_TYPE (dbuf, alloc_size, n_digits + 1, char);
317 }
318
319 return dbuf;

dbuf == str here, and __GMP_REALLOCATE_FUNC_MAYBE_TYPE can change the
value of dbuf.

The fix is to change:

78 mpf_get_str (str, &exp, base, n_digits, op);

to:

78 str = mpf_get_str (str, &exp, base, n_digits, op);

in mpf/out_str.c:mpf_out_str().
------------------------------------------------------------------
Bug #2
------------------------------------------------------------------

In printf/asprntffuns.c: __gmp_asprintf_final looks like:

63 __gmp_asprintf_final (struct gmp_asprintf_t *d)
64 {
65 char *buf = d->buf;
66 ASSERT (d->alloc >= d->size + 1);
67 buf[d->size] = '\0';
68 __GMP_REALLOCATE_FUNC_MAYBE_TYPE (buf, d->alloc, d->size+1, char);
69 *d->result = buf;
70 return 0;
71 }

If __GMP_REALLOCATE_FUNC_MAYBE_TYPE changes buf, as realloc() is wont
to do, then d->buf is left as a wild pointer.

The fix is to add:

d->buf = buf;

after line 69:
*d->result = buf;

in __gmp_asprintf_final().
------------------------------------------------------------------