35 lines
1.0 KiB
Diff
35 lines
1.0 KiB
Diff
From 561a9c25298e17bb01896801ff353546c6923dbd Mon Sep 17 00:00:00 2001
|
|
From: Marco Bodrato <bodrato@mail.dm.unipi.it>
|
|
Date: Thu, 21 Oct 2021 19:06:49 +0200
|
|
Subject: [PATCH] CVE-2021-43618: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.
|
|
|
|
This patch fixes it by avoiding bit size overflows
|
|
|
|
CVE-2021-43618
|
|
https://nvd.nist.gov/vuln/detail/CVE-2021-43618
|
|
|
|
---
|
|
mpz/inp_raw.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/mpz/inp_raw.c b/mpz/inp_raw.c
|
|
index 378c42b..f88fea9 100644
|
|
--- a/mpz/inp_raw.c
|
|
+++ b/mpz/inp_raw.c
|
|
@@ -88,8 +88,11 @@ mpz_inp_raw (mpz_ptr x, FILE *fp)
|
|
|
|
abs_csize = ABS (csize);
|
|
|
|
+ if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
|
|
+ return 0; /* Bit size overflows */
|
|
+
|
|
/* round up to a multiple of limbs */
|
|
- abs_xsize = BITS_TO_LIMBS (abs_csize*8);
|
|
+ abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
|
|
|
|
if (abs_xsize != 0)
|
|
{
|
|
--
|
|
2.27.0
|
|
|