GNU bug report logs - #78880
od Heap-buffer overflow

Previous Next

Full log

View this message in rfc822 format

From: Grisha Levit <grishalevit <at> gmail.com>
To: 78880 <at> debbugs.gnu.org, P <at> draigbrady.com, jaehoon.jang <at> prosys.kaist.ac.kr
Cc: 78880-done <at> debbugs.gnu.org
Subject: bug#78880: od Heap-buffer overflow
Date: Tue, 24 Jun 2025 10:27:36 -0400

On Tue, Jun 24, 2025, 10:04 Pádraig Brady <P <at> draigbrady.com> wrote:
>
> On 24/06/2025 01:16, Pádraig Brady wrote:
> > On 23/06/2025 09:24, Jaehoon Jang wrote:
> >> =================================================================
> >> ==1151699==ERROR: AddressSanitizer: heap-buffer-overflow on address
> >> 0x6150000004f9 at pc 0x0000004d153f bp 0x7fff937f0410 sp 0x7fff937f0408
> >> WRITE of size 1 at 0x6150000004f9 thread T0
> >>       #0 0x4d153e in dump_strings coreutils/src/od.c:1570:14
> >
> > Nice fuzzing.
> >
> > There looks to be all sorts of off by one errors in the dump_strings() function.
> > The issue is most easily demonstrated with:
> >
> >     printf '%100s' | tr ' ' . | valgrind od -N100 -S99
> >
> > The following should fix this I think.
> > I've only analyzed it for a few minutes, so I'll look more tomorrow.
> > The following should also fix the printed offset,
> > and also support the -N100 -S100 combination.
>
> The previous patch didn't handle the invalid address output in all cases.
> Also I didn't see a need for both read() loops in this function,
> so I simplified the function in the attached more complete patch.

This part:

>        tryline:
>    +     idx_t i = 0;
>    +     int c = 1; /* Init to 1 so can distinguish if NUL read. */

triggers

    warning: label followed by a declaration is a C23 extension
[-Wc23-extensions]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.