From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Ben Rocer" Newsgroups: gmane.lisp.guile.bugs Subject: bug#13827: faulty range check in bytevector accessor Date: Mon, 28 Jul 2014 16:35:15 +0200 Message-ID: References: <87liaay0o1.fsf@Kagami.home> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1406603436 11892 80.91.229.3 (29 Jul 2014 03:10:36 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 29 Jul 2014 03:10:36 +0000 (UTC) To: 13827@debbugs.gnu.org Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Tue Jul 29 05:10:30 2014 Return-path: Envelope-to: guile-bugs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XBxo6-0001K2-4J for guile-bugs@m.gmane.org; Tue, 29 Jul 2014 05:10:30 +0200 Original-Received: from localhost ([::1]:43392 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBxo5-0003w2-MG for guile-bugs@m.gmane.org; Mon, 28 Jul 2014 23:10:29 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46346) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBm27-0007np-0w for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XBm1y-0007bf-BB for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:10 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:45629) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBm1y-0007bb-8G for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1XBm1x-0004ea-QM for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:01 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <87liaay0o1.fsf@Kagami.home> Resent-From: "Ben Rocer" Original-Sender: "Debbugs-submit" Resent-CC: bug-guile@gnu.org Resent-Date: Mon, 28 Jul 2014 14:36:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 13827 X-GNU-PR-Package: guile X-GNU-PR-Keywords: patch X-Debbugs-Original-To: bug-guile@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.140655815317870 (code B ref -1); Mon, 28 Jul 2014 14:36:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 28 Jul 2014 14:35:53 +0000 Original-Received: from localhost ([127.0.0.1]:40895 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XBm1k-0004e4-Uv for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:52 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:44560) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XBm1e-0004dk-Mf for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:46 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XBm1T-0007a4-Ax for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:37 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:43637) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBm1T-0007a0-7y for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46267) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBm1N-0007aB-Cc for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:31 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XBm1H-0007YO-Gw for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:25 -0400 Original-Received: from mout.gmx.com ([74.208.4.201]:54331) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XBm1H-0007Y5-BX for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:19 -0400 Original-Received: from [162.247.73.206] by 3capp-mailcom-lxa07.server.lan (via HTTP); Mon, 28 Jul 2014 16:35:15 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K0:kOvobkbWWYU94ewQVEzaZ4zt8C6GBWt+D0rg02GhG8U tqv2Odnyr6euidwccInPr4VC8cYYRHpRU/vhjV4FdAvYgQcYJt dN4U+CZgk/QjpC3zp2EoE4+2O2zQpjWfdCNahPGngSEH040mPy BFSpVGp8flp5GLvba6fSom7D41GXTeg//E73qLShu6I8C+kDaZ U4ew8R3klpmqzDnK65cXNe+k1N04edv3Ieu0LPYoRgTSuaXGfN eKR4Ruz8i6oj1aBFkw2+NHNtKr/doQugte//34xrDaHC/Rg6BH m9fmzEgQ39Rct1828txg6mM30cf X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-Mailman-Approved-At: Mon, 28 Jul 2014 23:10:25 -0400 X-BeenThere: bug-guile@gnu.org List-Id: "Bug reports for GUILE, GNU's Ubiquitous Extension Language" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.bugs:7518 Archived-At: [resubmitting to bug-guile@gnu.org as debbugs seems to have eaten my first mail] When I tried to reproduce this bug on a 32-bit x86 system, I got an abort in the function bytevector_large_set(); I think this is also where the bug is. Specifically, there are two bugs in these two consecutive lines in bytevector_large_set(): value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size); if (SCM_UNLIKELY (value_size > c_size)) In the first line, there is an off-by-one error in the calculation of value_size; it gives the wrong answer if mpz_sizeinbase() is a multiple of (8 * c_size) (see https://gmplib.org/manual/Integer-Import-and-Export.html). Secondly, this calculation gives the number of (c_size-byte) *words* required to hold c_mpz, not the number of bytes. So the check in the next line should be (c_size * value_size > c_size), or equivalently (value_size > 1). Since bytevector-u64-set! also calls bytevector_large_set, it may be possible to reproduce this bug on 64 bit systems too; e.g (bytevector-u64-set! (make-bytevector 8) 0 (expt 2 64) (endianness big)) [untested] --- a/libguile/bytevectors.c +++ b/libguile/bytevectors.c @@ -867,10 +867,10 @@ bytevector_large_set (char *c_bv, size_t c_size, int signed_p, memset (c_bv, 0, c_size); else { - size_t word_count, value_size; + size_t word_count, value_words; - value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size); - if (SCM_UNLIKELY (value_size > c_size)) + value_words = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size) - 1) / (8 * c_size); + if (SCM_UNLIKELY (value_words > 1)) { err = -2; goto finish;