GNU bug report logs - #78880
od Heap-buffer overflow

Previous Next

Full log

Message #13 received at 78880-done <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Jaehoon Jang <jaehoon.jang <at> prosys.kaist.ac.kr>, 78880-done <at> debbugs.gnu.org
Subject: Re: bug#78880: od Heap-buffer overflow
Date: Tue, 24 Jun 2025 15:03:41 +0100

[Message part 1 (text/plain, inline)]

On 24/06/2025 01:16, Pádraig Brady wrote:
> On 23/06/2025 09:24, Jaehoon Jang wrote:
>> =================================================================
>> ==1151699==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x6150000004f9 at pc 0x0000004d153f bp 0x7fff937f0410 sp 0x7fff937f0408
>> WRITE of size 1 at 0x6150000004f9 thread T0
>>       #0 0x4d153e in dump_strings coreutils/src/od.c:1570:14
> 
> Nice fuzzing.
> 
> There looks to be all sorts of off by one errors in the dump_strings() function.
> The issue is most easily demonstrated with:
> 
>     printf '%100s' | tr ' ' . | valgrind od -N100 -S99
> 
> The following should fix this I think.
> I've only analyzed it for a few minutes, so I'll look more tomorrow.
> The following should also fix the printed offset,
> and also support the -N100 -S100 combination.

The previous patch didn't handle the invalid address output in all cases.
Also I didn't see a need for both read() loops in this function,
so I simplified the function in the attached more complete patch.

Marking this as done.

I'll apply this later.

thanks again,
Padraig.

[0001-od-fix-various-off-by-one-issues-with-strings-with-N.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.