From unknown Wed Jun 18 23:18:20 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#14917 <14917@debbugs.gnu.org> To: bug#14917 <14917@debbugs.gnu.org> Subject: Status: Missing range check in fxcopy-bit can give SIGABRT Reply-To: bug#14917 <14917@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:18:20 +0000 retitle 14917 Missing range check in fxcopy-bit can give SIGABRT reassign 14917 guile submitter 14917 G=C3=B6ran Weinholt severity 14917 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Jul 20 02:58:04 2013 Received: (at submit) by debbugs.gnu.org; 20 Jul 2013 06:58:04 +0000 Received: from localhost ([127.0.0.1]:38892 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V0R7C-0001lS-RV for submit@debbugs.gnu.org; Sat, 20 Jul 2013 02:58:03 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59003) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1V0R78-0001kf-QT for submit@debbugs.gnu.org; Sat, 20 Jul 2013 02:57:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1V0R72-0002Qm-KZ for submit@debbugs.gnu.org; Sat, 20 Jul 2013 02:57:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-100.0 required=5.0 tests=BAYES_20,T_DKIM_INVALID, USER_IN_WHITELIST autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49922) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V0R72-0002Qe-Hr for submit@debbugs.gnu.org; Sat, 20 Jul 2013 02:57:52 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60718) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V0R71-000894-K6 for bug-guile@gnu.org; Sat, 20 Jul 2013 02:57:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1V0R70-0002QL-Is for bug-guile@gnu.org; Sat, 20 Jul 2013 02:57:51 -0400 Received: from iustitia.weinholt.se ([2a02:28f0:0:a::7dce:e5a8]:60541) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1V0R70-0002Pt-8I for bug-guile@gnu.org; Sat, 20 Jul 2013 02:57:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=weinholt.se; s=iustitia2012; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; bh=cnTBzARR/FAgwpi2dcjfINeOac8lVfUI5m8MtgczGbc=; b=PhqHygOA9TqCR6lm20Jf/bQpCUv+NSEmhLt2RCmX7ozAGOfre+kL5KpVW7iYvsjrHuIw+A5mMrBlLA0QoiNcu2d46H3PMfLF71nyjg/IIUWAc0EABWB1E1SZhY/ZbQShHwli1cg04Il4BQ2T9Ezie7Xvb8HOwWd5EPhTxC7EZkZclZpKPQvkXl3ZNrql5BvwoKjqWZoxZxJfeEK4KpWWzRMA32q8ATzaajKOkzD3nQTY2kjPzXS86974G3rVd5KWowmwa7KlNE3iHOSyjA5wP2ScJs5Lv5uaeCynWQTDTOw0XTAX7ZgJ4Ok0YUJWn4RkNKZ2FMlImgWxC5Z8ndaikw==; Received: from uucp by iustitia.weinholt.se with local-bsmtp (Exim 4.72) (envelope-from ) id 1V0R6y-0003hm-FB; Sat, 20 Jul 2013 08:57:48 +0200 Received: from weinholt by industria with local (Exim 4.80) (envelope-from ) id 1V0R6g-0001aT-KQ; Sat, 20 Jul 2013 08:57:30 +0200 X-Hashcash: 1:20:130720:bug-guile@gnu.org::2gXASr7epBGn374i:0000000000000000000000000000000000000000000046ZS From: =?utf-8?Q?G=C3=B6ran?= Weinholt To: bug-guile@gnu.org Subject: Missing range check in fxcopy-bit can give SIGABRT Date: Sat, 20 Jul 2013 08:57:29 +0200 Message-ID: <87y59190rq.fsf@industria.weinholt.se> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.3 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello schemers, the fxcopy-bit procedure from (rnrs) is missing some range checks. It can return a non-fixnum: scheme@(guile-user)> (import (rnrs)) scheme@(guile-user)> (fxcopy-bit 0 (fixnum-width) 1) $1 =3D 9223372036854775808 It can also crash the guile process, which is somewhat surprising for a fixnum procedure: scheme@(guile-user)> (import (rnrs)) scheme@(guile-user)> (fxcopy-bit 0 100000000000 0) FATAL: memory error in realloc Aborted Here's an alternative error message: scheme@(guile-user)> (import (rnrs)) scheme@(guile-user)> (fxcopy-bit 0 1000000000000 0) gmp: overflow in mpz type Aborted Other implementations of fxcopy-bit usually check that the third argument is 0 or 1, but I'm not sure that is required. There's also a bitwise-copy-bit procedure that is similary affected. Tested with Guile 2.0.9.40-824b-dirty on an amd64 system. Regards, =2D-=20 G=C3=B6ran Weinholt "Mr. Crane, please remember you're not required to answer any of Lt. Tragg's questions. As a matter of fact, don't even discuss the weather with him, he can be very persuasive." -- Perry Mason --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJR6jTaAAoJEOM+YaLpuMOi0FsP/i+YqNZlvwEiAvs1DOjHe7r2 iaOd086En1Vg/XwI5dp85AM2LrlnyZqX4vMmiLagMzKNVw8bu8IHJiU97kdXfOg+ QEIiZHQA2bxmi8K497EQbbJ+ZofO7Mqm+7M4mYa4BQjAuS4fvQjvKm9He7hLui63 sdJvhgtTfIVXfrNd20gkzW9sStM1wJyEF7ToCFsTvAgT3pn+QdJ4RxbRx2gLiJUD yeBgQSNUWZh6G+AXn7sx5oVLPmrg7HLimsn89W2XLjahT7RDVx+7KeqqMLul0514 ys+i1HNFqDRMaKyq+UMPregwbSHvQDkXC0TLNWWXcgoUpGZd4v1rOlgYb0xcU6ku LuczWGBFdbsDGgBfDAcG8PquIQoPyyXY/6J+m+gAsbPP89WKYst6mIdUkIIDren4 4FOeaU/wAhMk2kjXVIZ7phY3K5Bn6u8GWYedo/6PMfo52Dnx8v1Il4ZpKn8l2+7X vo1BRNcRANzY6B9U+P/+xlbHR+CYpdjKf/TpUQdLP82JCFdcsofkeDGWBZZR46a9 jr4N3iFr7sxwvSOneq3IXfLiOsUB+9xyZmc9mg3KF1tsf2JL0srHXv2XXgLkOzng Shz5xGKvdnm+TAuWTAiX0ONjqaPExmyIfnIj8K4dDp0ly73j9KD1kx/bLMo1I/vR smBGtS6k/5tX7iIoAqPW =cewq -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 21 03:35:54 2016 Received: (at 14917-done) by debbugs.gnu.org; 21 Jun 2016 07:35:55 +0000 Received: from localhost ([127.0.0.1]:48468 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bFGDy-0001Hh-N4 for submit@debbugs.gnu.org; Tue, 21 Jun 2016 03:35:54 -0400 Received: from pb-sasl2.pobox.com ([64.147.108.67]:53725 helo=sasl.smtp.pobox.com) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bFGDw-0001HZ-GY for 14917-done@debbugs.gnu.org; Tue, 21 Jun 2016 03:35:52 -0400 Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl2.pobox.com (Postfix) with ESMTP id 3B1A920AD1; Tue, 21 Jun 2016 03:35:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=sasl; bh=qyxDynBDOMDg 70BFFw02p6pNbw4=; b=Lpl6dIVX50htBxL4QCZC9XLndxuYhNOJasp0YGuYR4cW tLRXtdOQaYVldnE71InzA8xxW8asq0BxG5vOttsLnW3jX77TYSv2KJ4qStR/1Djb 9YQlTFUG0Kgg/2gSos34vsS7aytN6YPCZHXP65OmczqaUM+SZpSzYTcHcZDEuAU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=sasl; b=uI4E9z YGBtyp+DAvT6MKD3sNl6a1LSzErTL/dwxurGIPHAbB/sOb+zh78TZhpJ5+EyIqIY 0bq1/ixeet1ScTR/VVE0bwhpuqhTRBDsL6xOLyVuGCOkymzzhsrQ3LxebITAWtd0 7b2vDneKZsDi/fQQkOND1Ghh+fMkNntqR82Wk= Received: from pb-sasl2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-sasl2.pobox.com (Postfix) with ESMTP id 32FB420AD0; Tue, 21 Jun 2016 03:35:52 -0400 (EDT) Received: from clucks (unknown [88.160.190.192]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl2.pobox.com (Postfix) with ESMTPSA id 522DD20ACF; Tue, 21 Jun 2016 03:35:51 -0400 (EDT) From: Andy Wingo To: =?utf-8?Q?G=C3=B6ran?= Weinholt Subject: Re: bug#14917: Missing range check in fxcopy-bit can give SIGABRT References: <87y59190rq.fsf@industria.weinholt.se> Date: Tue, 21 Jun 2016 09:35:44 +0200 In-Reply-To: <87y59190rq.fsf@industria.weinholt.se> (=?utf-8?Q?=22G=C3=B6r?= =?utf-8?Q?an?= Weinholt"'s message of "Sat, 20 Jul 2013 08:57:29 +0200") Message-ID: <87oa6v3sfj.fsf@pobox.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Pobox-Relay-ID: C7A6AA36-3782-11E6-AAB0-28A6F1301B6D-02397024!pb-sasl2.pobox.com X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: 14917-done Cc: 14917-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.4 (-) Howdy :) Three years later, this is now fixed and will be in 2.1.4. I think we'll cherry-pick it back to 2.0.12 too. Cheers, Andy On Sat 20 Jul 2013 08:57, G=C3=B6ran Weinholt writes: > Hello schemers, > > the fxcopy-bit procedure from (rnrs) is missing some range checks. It > can return a non-fixnum: > > scheme@(guile-user)> (import (rnrs)) > scheme@(guile-user)> (fxcopy-bit 0 (fixnum-width) 1) > $1 =3D 9223372036854775808 > > It can also crash the guile process, which is somewhat surprising for a > fixnum procedure: > > scheme@(guile-user)> (import (rnrs)) > scheme@(guile-user)> (fxcopy-bit 0 100000000000 0) > FATAL: memory error in realloc > Aborted > > Here's an alternative error message: > > scheme@(guile-user)> (import (rnrs)) > scheme@(guile-user)> (fxcopy-bit 0 1000000000000 0) > gmp: overflow in mpz type > Aborted > > Other implementations of fxcopy-bit usually check that the third > argument is 0 or 1, but I'm not sure that is required. > > There's also a bitwise-copy-bit procedure that is similary affected. > Tested with Guile 2.0.9.40-824b-dirty on an amd64 system. > > Regards, From unknown Wed Jun 18 23:18:20 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 19 Jul 2016 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator