From: "Ben Rocer" <fleabyte@mail.com>
To: 13827@debbugs.gnu.org
Subject: bug#13827: faulty range check in bytevector accessor
Date: Mon, 28 Jul 2014 16:35:15 +0200 [thread overview]
Message-ID: <trinity-96fcd96c-0848-4edb-a3a9-a91041b6fa03-1406558114890@3capp-mailcom-lxa07> (raw)
In-Reply-To: <87liaay0o1.fsf@Kagami.home>
[resubmitting to bug-guile@gnu.org as debbugs seems to have eaten my
first mail]
When I tried to reproduce this bug on a 32-bit x86 system, I got an
abort in the function bytevector_large_set(); I think this is also
where the bug is.
Specifically, there are two bugs in these two consecutive lines in
bytevector_large_set():
value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size);
if (SCM_UNLIKELY (value_size > c_size))
In the first line, there is an off-by-one error in the calculation of
value_size; it gives the wrong answer if mpz_sizeinbase() is a
multiple of (8 * c_size) (see
https://gmplib.org/manual/Integer-Import-and-Export.html).
Secondly, this calculation gives the number of (c_size-byte) *words*
required to hold c_mpz, not the number of bytes. So the check in the
next line should be (c_size * value_size > c_size), or equivalently
(value_size > 1).
Since bytevector-u64-set! also calls bytevector_large_set, it
may be possible to reproduce this bug on 64 bit systems too; e.g
(bytevector-u64-set! (make-bytevector 8) 0 (expt 2 64) (endianness big))
[untested]
--- a/libguile/bytevectors.c
+++ b/libguile/bytevectors.c
@@ -867,10 +867,10 @@ bytevector_large_set (char *c_bv, size_t c_size, int signed_p,
memset (c_bv, 0, c_size);
else
{
- size_t word_count, value_size;
+ size_t word_count, value_words;
- value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size);
- if (SCM_UNLIKELY (value_size > c_size))
+ value_words = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size) - 1) / (8 * c_size);
+ if (SCM_UNLIKELY (value_words > 1))
{
err = -2;
goto finish;
next prev parent reply other threads:[~2014-07-28 14:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-27 2:02 bug#13827: faulty range check in bytevector accessor Ian Price
2013-02-27 2:30 ` Mark H Weaver
2013-02-27 11:42 ` Ludovic Courtès
2013-02-28 1:38 ` Mark H Weaver
2013-02-28 20:20 ` Ian Price
2013-03-13 12:55 ` Andy Wingo
2013-03-13 14:37 ` Andy Wingo
2014-07-28 14:35 ` Ben Rocer [this message]
2016-06-20 15:16 ` Andy Wingo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=trinity-96fcd96c-0848-4edb-a3a9-a91041b6fa03-1406558114890@3capp-mailcom-lxa07 \
--to=fleabyte@mail.com \
--cc=13827@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).