GNU bug report logs - #78880
od Heap-buffer overflow

Previous Next

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Jim Meyering <jim <at> meyering.net>
Cc: 78880 <at> debbugs.gnu.org, jaehoon.jang <at> prosys.kaist.ac.kr, Pádraig Brady <P <at> draigbrady.com>, Grisha Levit <grishalevit <at> gmail.com>
Subject: bug#78880: od Heap-buffer overflow
Date: Sat, 28 Jun 2025 21:25:12 -0700

[Message part 1 (text/plain, inline)]

On 2025-06-24 18:31, Jim Meyering wrote:
> That goes way back. I think od.c
> was the second stand-alone program I contributed to coreutils (first
> was tr). The earliest email I still have that mentions it is from
> 1997-01 prior to textutils-1.22, but that was just a ChangeLog entry
> about adapting to a changed strtod API.

I have a soft spot for 'od' as I remember using it in Unix in the 1970s. 
So I looked for nearby bugs and found a few, mostly integer overflows. I 
installed the attached patches to refactor the source and to fix the 
bugs I found.

You might be amused by patch 0007, which fixes a POSIX conformance bug 
introduced in January 1995, in what is now Git commit 
851162a0da41f2b6b08a8c1ed045086db9a443a0. Evidently this POSIX-required 
feature is not often used! The NEWS item in the fix says "[bug 
introduced on 1995-01-25]" instead of the usual "[bug introduced in 
coreutils-N]" comment because I don't know how to relate that commit to 
a version number (would it be textutils? probably doesn't matter).

You might also be amused (or appalled) by patch 0007's hacky fix. I 
couldn't bestir myself to write a cleaner fix. The hacky fix doesn't 
require memory allocation so in some sense it's better than a cleaner 
one would be.

[0001-od-fix-theoretical-size_t-malloc-overflow.patch (text/x-patch, attachment)]

[0002-od-fix-another-off-by-one-issue-with-strings.patch (text/x-patch, attachment)]

[0003-maint-assume-long-long-int.patch (text/x-patch, attachment)]

[0004-od-don-t-assume-no-holes-in-wide-unsigned.patch (text/x-patch, attachment)]

[0005-od-prefer-idx_t-to-size_t.patch (text/x-patch, attachment)]

[0006-od-fix-some-unlikely-integer-overflows.patch (text/x-patch, attachment)]

[0007-od-fix-N.-bug.patch (text/x-patch, attachment)]

[0008-od-prefer-intmax_t-to-uintmax_t.patch (text/x-patch, attachment)]

[0009-od-initialize-type-size-tables-statically.patch (text/x-patch, attachment)]

[0010-od-support-uintmax_t-too.patch (text/x-patch, attachment)]

[0011-od-replace-lookup-tables-with-simple-arithmetic.patch (text/x-patch, attachment)]

[0012-od-omit-some-duplicate-code.patch (text/x-patch, attachment)]

[0013-od-minor-lcm-tuning.patch (text/x-patch, attachment)]

[0014-od-simpler-static-initialization.patch (text/x-patch, attachment)]

[0015-od-simplify-away-one-loop-copy.patch (text/x-patch, attachment)]

[0016-od-check-sign-bit-more-often.patch (text/x-patch, attachment)]

[0017-od-speed-up-S.patch (text/x-patch, attachment)]

[0018-od-fix-integer-overflow-with-large-pseudos.patch (text/x-patch, attachment)]

[0019-od-be-more-consistent-re-sizeof.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.