Reporting some `bn` bugs

Skip to first unread message

jy l

Nov 14, 2022, 8:00:35 AM11/14/22
to relic-discuss
Hi developers,

I'm writing to report some bugs we met in the relic API.
that it seems to have an interger overflow while doing `realloc`, for example when:
`bn_grow(r0, 0x20000000)` it would become `realloc(ptr, "a small number")` and return successfully, and causing some heap overflow in more later calls.
And we happened to trigger it through some other APIs like `bn_gen_prime` or `bn_rand`. Maybe there should be more checks at here?

Another one is also an interger overflow and trival to fix here:
that in `bn_get_prime`, if the `pos` is a negative number, it would pass the error checking and cause some global buffer corruption. Maybe the `pos` should be an unsigned int?

Could you help us verify these issues? Thanks!!

Diego F. Aranha

Nov 14, 2022, 9:01:15 AM11/14/22

Confirmed, that's why RELIC is listed as "at best alpha-quality software", useful for research purposes only.

There's a bunch of old broken code in there that was written > 15 years ago.
In particular, the dynamic memory part has never been properly hardened or fuzzed.
I've been trying for a few years to remove it completely in favor of stack-allocation only, but keep bumping into walls.

Anyway, can you please start Issues/PRs so we fix at least the low-hanging fruit?

Thank you!
Diego F. Aranha
Associate Professor at Computer Science Aarhus University, Denmark

Åbogade 34, Building 5335 (Office 318 at Nygaard)
8200 Aarhus N, Denmark


You received this message because you are subscribed to the Google Groups "relic-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

jy l

Nov 15, 2022, 12:49:58 PM11/15/22
to relic-discuss
Sorry for my late reply! Thank you so much for your prompt response!
I didn't start PRs because I thought the my minor patches might not match the whole coding style. And I just checked and saw lots of them got fixed well right? 
Thanks again! 
Reply all
Reply to author
0 new messages