From avatar@brahms.mmlab.cse.yzu.edu.tw Wed May 19 04:48:31 1999
Return-Path: <avatar@brahms.mmlab.cse.yzu.edu.tw>
Received: from brahms.mmlab.cse.yzu.edu.tw (brahms.mmlab.cse.yzu.edu.tw [140.138.145.183])
	by hub.freebsd.org (Postfix) with SMTP id C6E8014C2B
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 19 May 1999 04:48:15 -0700 (PDT)
	(envelope-from avatar@brahms.mmlab.cse.yzu.edu.tw)
Received: (qmail 1146 invoked by uid 1000); 19 May 1999 11:48:15 -0000
Message-Id: <19990519114815.1145.qmail@brahms.mmlab.cse.yzu.edu.tw>
Date: 19 May 1999 11:48:15 -0000
From: avatar@www.mmlab.cse.yzu.edu.tw
Sender: avatar@brahms.mmlab.cse.yzu.edu.tw
Reply-To: avatar@www.mmlab.cse.yzu.edu.tw
To: FreeBSD-gnats-submit@freebsd.org
Subject: mpz_get_str() in libgmp leads up to coredump
X-Send-Pr-Version: 3.2

>Number:         11778
>Category:       misc
>Synopsis:       mpz_get_str() in libgmp leads up to coredump
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 19 04:50:00 PDT 1999
>Closed-Date:    Tue Jul 31 21:37:19 PDT 2001
>Last-Modified:  Tue Jul 31 21:41:59 PDT 2001
>Originator:     Tai-hwa Liang
>Release:        FreeBSD 2.2.8-19990120-SNAP i386
>Organization:
Multimedia Laboratory at Yuan Ze University, R.O.C.
>Environment:

	
	FreeBSD 2.2.8-19990120-SNAP i386

>Description:

	
	A bus error occurred parse a string with more then 31 leading '0' via
mpz_get_str().

>How-To-Repeat:
------------------------- gmp_bug.c -----------------------------
#include <stdio.h>
#include <gmp.h>

void
main()
{
	mpz_t		key1;
	char		xx[] = "0000000000000000000000000000000000000000";
	char		block[1024];
	unsigned int	i;

	mpz_init_set_str(key1, xx, 2);
	mpz_get_str(block, sizeof(block), key1);
	i = mpz_get_ui(key1);
	printf("result: %s %d\n", block, i);
}
------------------------ end of gmp_bug.c ----------------------------
compile & run:
	gcc gmp_bug.c -lgmp && ./a.out
	

>Fix:

According to Torbjorn Granlund <tege@matematik.su.se>:

	* mpz/set_str.c: Check for empty string after having skipped
	leading zeros.

	* mpz/set_str.c: Skip leading zeros.

	* mpz/set_str.c: Refine allocation size computation, use
	chars_per_bit_exactly instead of chars_per_limb.	

*** set_str.c.~1~	Wed May  8 09:11:04 1996
--- set_str.c	Thu Dec 31 13:23:27 1998
***************
*** 100,103 ****
--- 100,113 ----
      }
  
+   /* Skip leading zeros.  */
+   while (c == '0')
+     c = *str++;
+   /* Make sure the string does not become empty, mpn_set_str would fail.  */
+   if (c == 0)
+     {
+       x->_mp_size = 0;
+       return 0;
+     }
+ 
    TMP_MARK (marker);
    str_size = strlen (str - 1);
***************
*** 121,125 ****
    str_size = s - begs;
  
!   xsize = str_size / __mp_bases[base].chars_per_limb + 1;
    if (x->_mp_alloc < xsize)
      _mpz_realloc (x, xsize);
--- 131,136 ----
    str_size = s - begs;
  
!   xsize = (((mp_size_t) (str_size / __mp_bases[base].chars_per_bit_exactly))
! 	   / BITS_PER_MP_LIMB + 2);
    if (x->_mp_alloc < xsize)
      _mpz_realloc (x, xsize);
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: steve 
Responsible-Changed-When: Sat May 29 21:25:32 PDT 1999 
Responsible-Changed-Why:  
Misfiled PR. 
State-Changed-From-To: open->feedback 
State-Changed-By: mike 
State-Changed-When: Fri Jul 20 15:12:28 PDT 2001 
State-Changed-Why:  

Does this problem still occur in newer versions of FreeBSD, 
such as 4.3-RELEASE? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=11778 

From: Mike Barcroft <mike@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/11778: mpz_get_str() in libgmp leads up to coredump
Date: Tue, 31 Jul 2001 21:26:25 -0400

 Adding to Audit-Trail.
 
 ----- Forwarded message from Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw> -----
 
 Delivered-To: mike@freebsd.org
 Date: Sat, 28 Jul 2001 17:50:18 +0800 (CST)
 From: Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw>
 To: Kris Kennaway <kris@obsecurity.org>
 Cc: <mike@FreeBSD.org>, <freebsd-bugs@FreeBSD.org>
 Subject: Re: misc/11778: mpz_get_str() in libgmp leads up to coredump
 In-Reply-To: <20010728010528.C62184@xor.obsecurity.org>
 
 On Sat, 28 Jul 2001, Kris Kennaway wrote:
 [...]
 > How about with newer versions of gmp?  gmp is scheduled to be removed
 > from FreeBSD at some point in the future, so you should make sure this
 > bug is fixed by the vendor.
 >
 The bug seems to be fixed in the latest version: gmp-3.1.1.
 
 
 ----- End forwarded message -----
State-Changed-From-To: feedback->closed 
State-Changed-By: mike 
State-Changed-When: Tue Jul 31 21:37:19 PDT 2001 
State-Changed-Why:  

libgmp has been removed from -CURRENT and there are no plans to 
upgrade libgmp in -STABLE, so it's likely this bug will be fixed 
in FreeBSD.  But on the plus size, as the originator confirmed, 
this bug has been fixed in newer versions of libgmp available in 
the ports collection. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=11778 
>Unformatted:
