From ba498ae2d5e9980a2f3acc921ee29c38bcac549e Mon Sep 17 00:00:00 2001 From: Marco Bodrato Date: Sun, 26 Sep 2021 13:56:18 +0200 Subject: mpz/inp_raw.c: Avoid bit size overflows --- mpz/inp_raw.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'mpz') diff --git a/mpz/inp_raw.c b/mpz/inp_raw.c index 378c42bb4..746d926c7 100644 --- a/mpz/inp_raw.c +++ b/mpz/inp_raw.c @@ -1,6 +1,6 @@ /* mpz_inp_raw -- read an mpz_t in raw format. -Copyright 2001, 2002, 2005, 2012, 2016 Free Software Foundation, Inc. +Copyright 2001, 2002, 2005, 2012, 2016, 2021 Free Software Foundation, Inc. This file is part of the GNU MP Library. @@ -75,7 +75,7 @@ mpz_inp_raw (mpz_ptr x, FILE *fp) fp = stdin; /* 4 bytes for size */ - if (fread (csize_bytes, sizeof (csize_bytes), 1, fp) != 1) + if (UNLIKELY (fread (csize_bytes, sizeof (csize_bytes), 1, fp) != 1)) return 0; size = (((size_t) csize_bytes[0] << 24) + ((size_t) csize_bytes[1] << 16) + @@ -88,8 +88,11 @@ mpz_inp_raw (mpz_ptr x, FILE *fp) abs_csize = ABS (csize); + if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8)) + return 0; /* Bit size overflows */ + /* round up to a multiple of limbs */ - abs_xsize = BITS_TO_LIMBS (abs_csize*8); + abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8); if (abs_xsize != 0) { @@ -99,7 +102,7 @@ mpz_inp_raw (mpz_ptr x, FILE *fp) non-nails case. */ xp[0] = 0; cp = (char *) (xp + abs_xsize) - abs_csize; - if (fread (cp, abs_csize, 1, fp) != 1) + if (UNLIKELY (fread (cp, abs_csize, 1, fp) != 1)) return 0; if (GMP_NAIL_BITS == 0) -- cgit v1.2.1