Hi, I'm new to MPIR, and really am just playing around/familiarising myself
with what it can do at the moment. My program produced an AV when calling
mpz_powm with large exp and mod parameters. This seems to be due to a
miscalculation of a buffer size in , which has gone over 2^32 and so been
truncated, resulted in a buffer smaller than expected by the subsequent MPIR
code.
Here are the environment details:
- MPIR version 3.0.0 (no patches/customisations)
- OS: Windows 10
- MPIR build: dll_mpir_gc\win32\debug
- compiler: VC15
- MPIR build and test suite ran ok
Here is a summary of what led to the AV:
- My code calls mpz_powm, which calls mpn_powm
- At powm.c (line 224) there is a temp allocation for some limbs:
pp = TMP_ALLOC_LIMBS (n << (windowsize - 1));
In my program the values here are:
n = 0x0024d3d9
windowsize = 10
limb size = 4 bytes
so this is trying to allocate
(0x0024d3d9 << 9) * 4 = 0x1269ec800 bytes, which due to 32-bit overflow results
in a request for only 0x269ec800 bytes.
The access violation occurs when the following loop (incrementing this_pp etc.)
gets around to trying to update beyond the end of the pp buffer, which is
shorter than expected...
[Details probably not important, but here is the stack trace at the time of the
AV...
mpir.dll!__gmpn_sub_n(unsigned long * rp, const unsigned long * up,
const unsigned long * vp, long n) Line 47 C Symbols loaded.
mpir.dll!__gmpn_redc_n(unsigned long * rp, unsigned long * up, const
unsigned long * mp, long n, const unsigned long * ip) Line 76 C
Symbols loaded.
> mpir.dll!__gmpn_powm(unsigned long * rp, const unsigned long * bp, long
> bn, const unsigned long * ep, long en, const unsigned long * mp, long n,
> unsigned long * tp) Line 258 C Symbols loaded.
mpir.dll!__gmpz_powm(__mpz_struct * r, const __mpz_struct * b, const
__mpz_struct * e, const __mpz_struct * m) Line 192 C Symbols loaded.
TestMpir1.exe!NPFO1(const __mpz_struct * p) Line 190 C++ Symbols
loaded.
]
We could say that my call to mpz_powm was "optimistic" given the operand sizes,
but still if the operands were too big it should fail somehow
*deterministically*, rather than AV... (or better, run correctly for a very
long time!)
Please let me know if you need more info etc..
Regards,
Mike.
--
You received this message because you are subscribed to the Google Groups
"mpir-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mpir-devel+unsubscr...@googlegroups.com.
To post to this group, send email to mpir-devel@googlegroups.com.
Visit this group at https://groups.google.com/group/mpir-devel.
For more options, visit https://groups.google.com/d/optout.
