From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: "Ben Rocer" <fleabyte@mail.com>
Newsgroups: gmane.lisp.guile.bugs
Subject: bug#13827: faulty range check in bytevector accessor
Date: Mon, 28 Jul 2014 16:35:15 +0200
Message-ID: <trinity-96fcd96c-0848-4edb-a3a9-a91041b6fa03-1406558114890@3capp-mailcom-lxa07>
References: <87liaay0o1.fsf@Kagami.home>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: ger.gmane.org 1406603436 11892 80.91.229.3 (29 Jul 2014 03:10:36 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 29 Jul 2014 03:10:36 +0000 (UTC)
To: 13827@debbugs.gnu.org
Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Tue Jul 29 05:10:30 2014
Return-path: <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Envelope-to: guile-bugs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1XBxo6-0001K2-4J
	for guile-bugs@m.gmane.org; Tue, 29 Jul 2014 05:10:30 +0200
Original-Received: from localhost ([::1]:43392 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1XBxo5-0003w2-MG
	for guile-bugs@m.gmane.org; Mon, 28 Jul 2014 23:10:29 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46346)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XBm27-0007np-0w
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:16 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XBm1y-0007bf-BB
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:10 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:45629)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XBm1y-0007bb-8G
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1XBm1x-0004ea-QM
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:36:01 -0400
X-Loop: help-debbugs@gnu.org
In-Reply-To: <87liaay0o1.fsf@Kagami.home>
Resent-From: "Ben Rocer" <fleabyte@mail.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guile@gnu.org
Resent-Date: Mon, 28 Jul 2014 14:36:01 +0000
Resent-Message-ID: <handler.13827.B.140655815317870@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 13827
X-GNU-PR-Package: guile
X-GNU-PR-Keywords: patch
X-Debbugs-Original-To: bug-guile@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.140655815317870
	(code B ref -1); Mon, 28 Jul 2014 14:36:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 28 Jul 2014 14:35:53 +0000
Original-Received: from localhost ([127.0.0.1]:40895 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1XBm1k-0004e4-Uv
	for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:52 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:44560)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <fleabyte@mail.com>) id 1XBm1e-0004dk-Mf
	for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:46 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <fleabyte@mail.com>) id 1XBm1T-0007a4-Ax
	for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:37 -0400
Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:43637)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fleabyte@mail.com>) id 1XBm1T-0007a0-7y
	for submit@debbugs.gnu.org; Mon, 28 Jul 2014 10:35:31 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46267)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fleabyte@mail.com>) id 1XBm1N-0007aB-Cc
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:31 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <fleabyte@mail.com>) id 1XBm1H-0007YO-Gw
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:25 -0400
Original-Received: from mout.gmx.com ([74.208.4.201]:54331)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fleabyte@mail.com>) id 1XBm1H-0007Y5-BX
	for bug-guile@gnu.org; Mon, 28 Jul 2014 10:35:19 -0400
Original-Received: from [162.247.73.206] by 3capp-mailcom-lxa07.server.lan (via
	HTTP); Mon, 28 Jul 2014 16:35:15 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: V03:K0:kOvobkbWWYU94ewQVEzaZ4zt8C6GBWt+D0rg02GhG8U
	tqv2Odnyr6euidwccInPr4VC8cYYRHpRU/vhjV4FdAvYgQcYJt
	dN4U+CZgk/QjpC3zp2EoE4+2O2zQpjWfdCNahPGngSEH040mPy
	BFSpVGp8flp5GLvba6fSom7D41GXTeg//E73qLShu6I8C+kDaZ
	U4ew8R3klpmqzDnK65cXNe+k1N04edv3Ieu0LPYoRgTSuaXGfN
	eKR4Ruz8i6oj1aBFkw2+NHNtKr/doQugte//34xrDaHC/Rg6BH
	m9fmzEgQ39Rct1828txg6mM30cf
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic]
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-Mailman-Approved-At: Mon, 28 Jul 2014 23:10:25 -0400
X-BeenThere: bug-guile@gnu.org
List-Id: "Bug reports for GUILE,
	GNU's Ubiquitous Extension Language" <bug-guile.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guile>
List-Post: <mailto:bug-guile@gnu.org>
List-Help: <mailto:bug-guile-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=subscribe>
Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.bugs:7518
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.bugs/7518>

[resubmitting to bug-guile@gnu.org as debbugs seems to have eaten my
 first mail]

When I tried to reproduce this bug on a 32-bit x86 system, I got an
abort in the function bytevector_large_set(); I think this is also
where the bug is.

Specifically, there are two bugs in these two consecutive lines in
bytevector_large_set():

value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size);
if (SCM_UNLIKELY (value_size > c_size))

In the first line, there is an off-by-one error in the calculation of
value_size; it gives the wrong answer if mpz_sizeinbase() is a
multiple of (8 * c_size) (see
https://gmplib.org/manual/Integer-Import-and-Export.html).

Secondly, this calculation gives the number of (c_size-byte) *words*
required to hold c_mpz, not the number of bytes. So the check in the
next line should be (c_size * value_size > c_size), or equivalently
(value_size > 1).

Since bytevector-u64-set! also calls bytevector_large_set, it
may be possible to reproduce this bug on 64 bit systems too; e.g
(bytevector-u64-set! (make-bytevector 8) 0 (expt 2 64) (endianness big))
[untested]


--- a/libguile/bytevectors.c
+++ b/libguile/bytevectors.c
@@ -867,10 +867,10 @@ bytevector_large_set (char *c_bv, size_t c_size, int signed_p,
     memset (c_bv, 0, c_size);
   else
     {
-      size_t word_count, value_size;
+      size_t word_count, value_words;
 
-      value_size = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size)) / (8 * c_size);
-      if (SCM_UNLIKELY (value_size > c_size))
+      value_words = (mpz_sizeinbase (c_mpz, 2) + (8 * c_size) - 1) / (8 * c_size);
+      if (SCM_UNLIKELY (value_words > 1))
 	{
 	  err = -2;
 	  goto finish;