pr buffer overflow

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pr buffer overflow

From:	Cristian Cadar
Subject:	pr buffer overflow
Date:	Thu, 17 Apr 2008 17:57:15 -0700

  Hi Jim, we found a buffer overflow in pr, due to the invalid
processing of backspaces and tabs.  
  Here is a simple input that our tool generated:
  pr --e pr-bug.txt 

  Another input, that crashes in glibc on my machine is:
  pr -e pr-bug-crash.txt

  Both pr-bug.txt and pr-bug-crash.txt are attached.

  One case that triggers the bug is when the input file contains a
series of backspaces followed by a TAB.  Function char_to_clump() allows
input_position to become negative, decrementing it for every backspace.
Then, when a TAB is processed, the macro TAB_WIDTH returns a number
larger than the default size of the clump_buff buffer, and the loop at
pr.c:2669-2670 writes invalid memory.  The overflow seems to be bounded
(for the default tab size, width cannot exceed 15), but this seems to be
enough to crash glibc on my machine.  I found the bug quite interesting.
I think it was due to the incorrect assumption that 
0 <= h % c < c.

 602: #define TAB_WIDTH(c_, h_) ((c_) - ((h_) % (c_)))
 ...
2665: width = TAB_WIDTH (chars_per_c, input_position);
2666:
2667: if (untabify_input)
2668:   {
2669:       for (i = width; i; --i)
2670:         *s++ = ' ';
2671:       chars = width;
2672:   }

  Cristian

pr-bug.txt
Description: Text document

pr-bug-crash.txt
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

pr buffer overflow, Cristian Cadar <=
- Re: pr buffer overflow, Jim Meyering, 2008/04/19

Prev by Date: Re: Enhancement request -- performance improvement
Next by Date: Re: coreutils 6.0.194 on MacOS X 10.5
Previous by thread: new snapshot, and a huge set of coreutils test results
Next by thread: Re: pr buffer overflow
Index(es):
- Date
- Thread