9d0536d82d
GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
28 lines
841 B
Diff
28 lines
841 B
Diff
# HG changeset patch
|
|
# User Marco Bodrato <bodrato@mail.dm.unipi.it>
|
|
# Date 1634836009 -7200
|
|
# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
|
|
# Parent e1fd9db13b475209a864577237ea4b9105b3e96e
|
|
mpz/inp_raw.c: Avoid bit size overflows
|
|
|
|
[Retrieved from: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
|
|
diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
|
|
--- a/mpz/inp_raw.c Tue Dec 22 23:49:51 2020 +0100
|
|
+++ b/mpz/inp_raw.c Thu Oct 21 19:06:49 2021 +0200
|
|
@@ -88,8 +88,11 @@
|
|
|
|
abs_csize = ABS (csize);
|
|
|
|
+ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
|
|
+ return 0; /* Bit size overflows */
|
|
+
|
|
/* round up to a multiple of limbs */
|
|
- abs_xsize = BITS_TO_LIMBS (abs_csize*8);
|
|
+ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
|
|
|
|
if (abs_xsize != 0)
|
|
{
|
|
|