PARI/GP Bug report logs - #1237
undefined behaviour in pari_init_parser

Package: pari; Maintainer for pari is Aurel Page <aurel.page@normalesup.org>; Source for pari is src:pari.

Reported by: Julian Taylor <jtaylor.debian@googlemail.com>

Date: Wed, 31 Aug 2011 15:33:08 UTC

Severity: normal

Done: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit@pari.math.u-bordeaux.fr (full text, mbox, reply):

Received: (at submit) by pari.math.u-bordeaux.fr; 31 Aug 2011 15:27:09 +0000
From jtaylor.debian@googlemail.com Wed Aug 31 17:27:09 2011
Received: from mail-ew0-f45.google.com ([209.85.215.45])
	by pari.math.u-bordeaux1.fr with esmtp (Exim 4.69)
	(envelope-from <jtaylor.debian@googlemail.com>)
	id 1Qymh3-0006Nn-R6
	for submit@pari.math.u-bordeaux.fr; Wed, 31 Aug 2011 17:27:09 +0200
Received: by ewy24 with SMTP id 24so690526ewy.32
        for <submit@pari.math.u-bordeaux.fr>; Wed, 31 Aug 2011 08:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :content-type:content-transfer-encoding;
        bh=HBoAKHvxYuq24tMj8HZC5MGD9tT6wsSK9EaGSmv6jbY=;
        b=rW8SAAz9QLwhzPjnhnNQDV+96lErhRQg8wwCzaGMzM88lBNwHo5mrm3Zu+LmL4HIY4
         m40FvJ2AixVtymYwMJsypAkieYFYzRhOulnwmlaVRCizqfqp6x/3CnXwGMmNqIED8PSP
         GRidPLLH3bmDNZxADd6MN5kNrIwU9toanHcZM=
Received: by 10.213.113.16 with SMTP id y16mr358039ebp.32.1314804424326;
        Wed, 31 Aug 2011 08:27:04 -0700 (PDT)
Received: from [192.168.0.11] (p5498C2E5.dip.t-dialin.net [84.152.194.229])
        by mx.google.com with ESMTPS id b12sm3723738een.30.2011.08.31.08.27.02
        (version=SSLv3 cipher=OTHER);
        Wed, 31 Aug 2011 08:27:03 -0700 (PDT)
Message-ID: <4E5E52C5.4050702@googlemail.com>
Date: Wed, 31 Aug 2011 17:27:01 +0200
From: Julian Taylor <jtaylor.debian@googlemail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110828 Thunderbird/7.0
MIME-Version: 1.0
To: submit@pari.math.u-bordeaux.fr
CC: ballombe@debian.org
Subject: undefined behaviour in pari_init_parser
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Package: pari
Version: 2.5.0

Hi,
the stack_init function used from pari_init_parser exhibits undefined behavior.
Thanks to Måns Rullgård for spotting this issue and suggesting the patch.

pari_init_parser calls stack_init with argument one and three unrelated variables
in being in global/thread-local memory:
src/language/parsec.h:43 stack_init(&s_node,sizeof(*pari_tree),(void **)&pari_tree);

In stack init this is used:
src/headers/pariinl.h:560 stack_init(pari_stack *s, size_t size, void **data)
{
  s->offset = (char *)data-(char *)s;

here the difference between the unrelated memory location is taken which is undefined.
This leads to testsuite failures on some architectures like armel [0]m armhf [1] and sparc [2]


This patch would solves the issue by using a pointer directly instead of an offset.
With it the testsuite succeeds on armel and amd64 (more were not tested).

diff -ur pari-2.5.0.fixed/src/headers/pariinl.h pari-2.5.0.fixed/src/headers/pariinl.h
--- pari-2.5.0/src/headers/pariinl.h     2011-05-30 09:28:34.000000000 +0000
+++ pari-2.5.0.fixed/src/headers/pariinl.h  2011-08-31 14:30:34.000000000 +0000
@@ -554,12 +554,12 @@
 /**                                                                **/
 /********************************************************************/
 INLINE void **
-stack_base(pari_stack *s) { return (void **) ((char *)s+s->offset); }
+stack_base(pari_stack *s) { return (void **) ((char *)s->offset); }
 
 INLINE void
 stack_init(pari_stack *s, size_t size, void **data)
 {
-  s->offset = (char *)data-(char *)s;
+  s->offset = data;
   *data = NULL;
   s->n = 0;
   s->alloc = 0;
diff -ur ./src/headers/paristio.h ../pari-2.5.0.fixed//src/headers/paristio.h
--- pari-2.5.0/src/headers/paristio.h    2011-05-30 09:28:34.000000000 +0000
+++ pari-2.5.0.fixed/src/headers/paristio.h 2011-08-31 14:33:16.000000000 +0000
@@ -125,7 +125,7 @@
 } hashtable;
 
 typedef struct {
-  long offset;
+  void* offset;
   long n;
   long alloc;
   size_t size;


[0] https://launchpad.net/ubuntu/+source/pari/2.5.0-1/+build/2648667
[1] http://buildd.debian-ports.org/status/package.php?p=pari&suite=sid
[2] https://buildd.debian.org/status/package.php?p=pari&suite=sid

Send a report that this bug log contains spam.

Bill Allombert <allomber@math.u-bordeaux.fr>. Last modified: Sat Aug 26 17:15:14 2023; Machine Name: pari

PARI/GP Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.