/ 
perl-5.23.2
⭐ Starred 2013
/ bigint
Security Advisories (19)
CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2018-18314 (2018-12-07)

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2018-18313 (2018-12-07)

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVE-2018-18311 (2018-12-07)

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2016-6185 (2016-08-02)

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.

CVE-2015-8608 (2017-02-07)

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.

CVE-2020-12723 (2020-06-05)

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

CVE-2020-10878 (2020-06-05)

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

CVE-2020-10543 (2020-06-05)

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

CVE-2018-6798 (2018-04-17)

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

CVE-2018-6913 (2018-04-17)

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVE-2016-1238 (2016-08-02)

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVE-2018-6797 (2018-04-17)

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

CVE-2018-18312 (2018-12-05)

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVE-2017-12883 (2017-09-19)

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

CVE-2017-12837 (2017-09-19)

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

CVE-2015-8853 (2016-05-25)

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

NAME

bigint - Transparent BigInteger support for Perl

SYNOPSIS

use bigint;

$x = 2 + 4.5,"\n";			# BigInt 6
print 2 ** 512,"\n";			# really is what you think it is
print inf + 42,"\n";			# inf
print NaN * 7,"\n";			# NaN
print hex("0x1234567890123490"),"\n";	# Perl v5.10.0 or later

{
  no bigint;
  print 2 ** 256,"\n";		# a normal Perl scalar now
}

# Import into current package:
use bigint qw/hex oct/;
print hex("0x1234567890123490"),"\n";
print oct("01234567890123490"),"\n";

DESCRIPTION

All operators (including basic math operations) except the range operator .. are overloaded. Integer constants are created as proper BigInts.

Floating point constants are truncated to integer. All parts and results of expressions are also truncated.

Unlike integer, this pragma creates integer constants that are only limited in their size by the available memory and CPU time.

use integer vs. use bigint

There is one small difference between use integer and use bigint: the former will not affect assignments to variables and the return value of some functions. bigint truncates these results to integer too:

# perl -Minteger -wle 'print 3.2'
3.2
# perl -Minteger -wle 'print 3.2 + 0'
3
# perl -Mbigint -wle 'print 3.2'
3
# perl -Mbigint -wle 'print 3.2 + 0'
3

# perl -Mbigint -wle 'print exp(1) + 0'
2
# perl -Mbigint -wle 'print exp(1)'
2
# perl -Minteger -wle 'print exp(1)'
2.71828182845905
# perl -Minteger -wle 'print exp(1) + 0'
2

In practice this makes seldom a difference as parts and results of expressions will be truncated anyway, but this can, for instance, affect the return value of subroutines:

sub three_integer { use integer; return 3.2; } 
sub three_bigint { use bigint; return 3.2; }

print three_integer(), " ", three_bigint(),"\n";	# prints "3.2 3"

Options

bigint recognizes some options that can be passed while loading it via use. The options can (currently) be either a single letter form, or the long form. The following options exist:

a or accuracy

This sets the accuracy for all math operations. The argument must be greater than or equal to zero. See Math::BigInt's bround() function for details.

perl -Mbigint=a,2 -le 'print 12345+1'

Note that setting precision and accuracy at the same time is not possible.

p or precision

This sets the precision for all math operations. The argument can be any integer. Negative values mean a fixed number of digits after the dot, and are <B>ignored</B> since all operations happen in integer space. A positive value rounds to this digit left from the dot. 0 or 1 mean round to integer and are ignore like negative values.

See Math::BigInt's bfround() function for details.

perl -Mbignum=p,5 -le 'print 123456789+123'

Note that setting precision and accuracy at the same time is not possible.

t or trace

This enables a trace mode and is primarily for debugging bigint or Math::BigInt.

hex

Override the built-in hex() method with a version that can handle big integers. This overrides it by exporting it to the current package. Under Perl v5.10.0 and higher, this is not so necessary, as hex() is lexically overridden in the current scope whenever the bigint pragma is active.

oct

Override the built-in oct() method with a version that can handle big integers. This overrides it by exporting it to the current package. Under Perl v5.10.0 and higher, this is not so necessary, as oct() is lexically overridden in the current scope whenever the bigint pragma is active.

l, lib, try or only

Load a different math lib, see "Math Library".

perl -Mbigint=lib,GMP -e 'print 2 ** 512'
perl -Mbigint=try,GMP -e 'print 2 ** 512'
perl -Mbigint=only,GMP -e 'print 2 ** 512'

Currently there is no way to specify more than one library on the command line. This means the following does not work:

perl -Mbignum=l,GMP,Pari -e 'print 2 ** 512'

This will be hopefully fixed soon ;)

v or version

This prints out the name and version of all modules used and then exits.

perl -Mbigint=v

Math Library

Math with the numbers is done (by default) by a module called Math::BigInt::Calc. This is equivalent to saying:

use bigint lib => 'Calc';

You can change this by using:

use bignum lib => 'GMP';

The following would first try to find Math::BigInt::Foo, then Math::BigInt::Bar, and when this also fails, revert to Math::BigInt::Calc:

use bigint lib => 'Foo,Math::BigInt::Bar';

Using lib warns if none of the specified libraries can be found and Math::BigInt did fall back to one of the default libraries. To suppress this warning, use try instead:

use bignum try => 'GMP';

If you want the code to die instead of falling back, use only instead:

use bignum only => 'GMP';

Please see respective module documentation for further details.

Internal Format

The numbers are stored as objects, and their internals might change at anytime, especially between math operations. The objects also might belong to different classes, like Math::BigInt, or Math::BigInt::Lite. Mixing them together, even with normal scalars is not extraordinary, but normal and expected.

You should not depend on the internal format, all accesses must go through accessor methods. E.g. looking at $x->{sign} is not a good idea since there is no guaranty that the object in question has such a hash key, nor is a hash underneath at all.

Sign

The sign is either '+', '-', 'NaN', '+inf' or '-inf'. You can access it with the sign() method.

A sign of 'NaN' is used to represent the result when input arguments are not numbers or as a result of 0/0. '+inf' and '-inf' represent plus respectively minus infinity. You will get '+inf' when dividing a positive number by 0, and '-inf' when dividing any negative number by 0.

Method calls

Since all numbers are now objects, you can use all functions that are part of the BigInt API. You can only use the bxxx() notation, and not the fxxx() notation, though.

But a warning is in order. When using the following to make a copy of a number, only a shallow copy will be made.

$x = 9; $y = $x;
$x = $y = 7;

Using the copy or the original with overloaded math is okay, e.g. the following work:

$x = 9; $y = $x;
print $x + 1, " ", $y,"\n";	# prints 10 9

but calling any method that modifies the number directly will result in both the original and the copy being destroyed:

$x = 9; $y = $x;
print $x->badd(1), " ", $y,"\n";	# prints 10 10

$x = 9; $y = $x;
print $x->binc(1), " ", $y,"\n";	# prints 10 10

$x = 9; $y = $x;
print $x->bmul(2), " ", $y,"\n";	# prints 18 18

Using methods that do not modify, but test that the contents works:

$x = 9; $y = $x;
$z = 9 if $x->is_zero();		# works fine

See the documentation about the copy constructor and = in overload, as well as the documentation in BigInt for further details.

Methods

inf()

A shortcut to return Math::BigInt->binf(). Useful because Perl does not always handle bareword inf properly.

NaN()

A shortcut to return Math::BigInt->bnan(). Useful because Perl does not always handle bareword NaN properly.

e
# perl -Mbigint=e -wle 'print e'

Returns Euler's number e, aka exp(1). Note that under bigint, this is truncated to an integer, and hence simple '2'.

PI
# perl -Mbigint=PI -wle 'print PI'

Returns PI. Note that under bigint, this is truncated to an integer, and hence simple '3'.

bexp()
bexp($power,$accuracy);

Returns Euler's number e raised to the appropriate power, to the wanted accuracy.

Note that under bigint, the result is truncated to an integer.

Example:

# perl -Mbigint=bexp -wle 'print bexp(1,80)'
bpi()
bpi($accuracy);

Returns PI to the wanted accuracy. Note that under bigint, this is truncated to an integer, and hence simple '3'.

Example:

# perl -Mbigint=bpi -wle 'print bpi(80)'
upgrade()

Return the class that numbers are upgraded to, is in fact returning $Math::BigInt::upgrade.

in_effect()
use bigint;

print "in effect\n" if bigint::in_effect;	# true
{
  no bigint;
  print "in effect\n" if bigint::in_effect;	# false
}

Returns true or false if bigint is in effect in the current scope.

This method only works on Perl v5.9.4 or later.

CAVEATS

Operator vs literal overloading

bigint works by overloading handling of integer and floating point literals, converting them to Math::BigInt objects.

This means that arithmetic involving only string values or string literals will be performed using Perl's built-in operators.

For example:

use bignum;
my $x = "900000000000000009";
my $y = "900000000000000007";
print $x - $y;

will output 0 on default 32-bit builds, since bigint never sees the string literals. To ensure the expression is all treated as Math::BigInt objects, use a literal number in the expression:

print +(0+$x) - $y;
ranges

Perl does not allow overloading of ranges, so you can neither safely use ranges with bigint endpoints, nor is the iterator variable a bigint.

use 5.010;
for my $i (12..13) {
  for my $j (20..21) {
    say $i ** $j;  # produces a floating-point number,
                   # not a big integer
  }
}
in_effect()

This method only works on Perl v5.9.4 or later.

hex()/oct()

bigint overrides these routines with versions that can also handle big integer values. Under Perl prior to version v5.9.4, however, this will not happen unless you specifically ask for it with the two import tags "hex" and "oct" - and then it will be global and cannot be disabled inside a scope with "no bigint":

use bigint qw/hex oct/;

print hex("0x1234567890123456");
{
	no bigint;
	print hex("0x1234567890123456");
}

The second call to hex() will warn about a non-portable constant.

Compare this to:

use bigint;

# will warn only under Perl older than v5.9.4
print hex("0x1234567890123456");

MODULES USED

bigint is just a thin wrapper around various modules of the Math::BigInt family. Think of it as the head of the family, who runs the shop, and orders the others to do the work.

The following modules are currently used by bigint:

Math::BigInt::Lite	(for speed, and only if it is loadable)
Math::BigInt

EXAMPLES

Some cool command line examples to impress the Python crowd ;) You might want to compare them to the results under -Mbignum or -Mbigrat:

perl -Mbigint -le 'print sqrt(33)'
perl -Mbigint -le 'print 2*255'
perl -Mbigint -le 'print 4.5+2*255'
perl -Mbigint -le 'print 3/7 + 5/7 + 8/3'
perl -Mbigint -le 'print 123->is_odd()'
perl -Mbigint -le 'print log(2)'
perl -Mbigint -le 'print 2 ** 0.5'
perl -Mbigint=a,65 -le 'print 2 ** 0.2'
perl -Mbignum=a,65,l,GMP -le 'print 7 ** 7777'

LICENSE

This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

Especially bigrat as in perl -Mbigrat -le 'print 1/3+1/4' and bignum as in perl -Mbignum -le 'print sqrt(2)'.

Math::BigInt, Math::BigRat and Math::Big as well as Math::BigInt::Pari and Math::BigInt::GMP.

AUTHORS

(C) by Tels http://bloodgate.com/ in early 2002 - 2007.