On 2021-09-15 17:34:01 +0200, Vincent Lefevre wrote: > On 2021-09-15 17:05:42 +0200, Paul Zimmermann wrote: > > sorry the test_dummy2.save is attached. It was generated by (under /bin/sh, > > not /bin/bash): > > > > echo -e "\n\r\n\r# this is a comment line and should be ignored" > > > test_dummy2.save > > I can reproduce the segfault only with a 32-bit ABI. > > read(3, "-e \n\r\n\r# this is a comment line "..., 4096) = 54 > mmap2(NULL, 224735232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xea604000 > --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xca604012} --- > > If I understand correctly, the read system call comes from the initial > fread() to get the size, and the mmap2 comes from the allocation.
In mpz/inp_raw.c, I think that abs_csize*8 yields an integer overflow on large sizes. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) _______________________________________________ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs