Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines
Vincent Lefevre
vincent at vinc17.net
Sun Nov 14 14:43:25 GMT 2021
On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> well, I was thinking that upstream should request a CVE. Neverheless
> I could not reproduce the issue with the modern GCC-versions.
> Even on 32bit-systems.
I can still reproduce the segmentation fault under Debian/unstable.
Simplified testcase:
#include <stdio.h>
#include <gmp.h>
int main (void)
{
mpz_t s;
mpz_init (s);
mpz_inp_raw (s, stdin);
return 0;
}
Compile with gcc -m32 and execute:
printf 12345 | ./testcase
Note that even if you don't get a segmentation fault, there may be
other erratic behaviors, such as silent memory corruption (which may
be even worse).
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the debian-science-maintainers
mailing list