pr buffer overflow

Thu, 17 Apr 2008 17:57:27 -0700 

  Hi Jim, we found a buffer overflow in pr, due to the invalid
processing of backspaces and tabs.  
  Here is a simple input that our tool generated:
  pr --e pr-bug.txt 

  Another input, that crashes in glibc on my machine is:
  pr -e pr-bug-crash.txt

  Both pr-bug.txt and pr-bug-crash.txt are attached.

  One case that triggers the bug is when the input file contains a
series of backspaces followed by a TAB.  Function char_to_clump() allows
input_position to become negative, decrementing it for every backspace.
Then, when a TAB is processed, the macro TAB_WIDTH returns a number
larger than the default size of the clump_buff buffer, and the loop at
pr.c:2669-2670 writes invalid memory.  The overflow seems to be bounded
(for the default tab size, width cannot exceed 15), but this seems to be
enough to crash glibc on my machine.  I found the bug quite interesting.
I think it was due to the incorrect assumption that 
0 <= h % c < c.

 602: #define TAB_WIDTH(c_, h_) ((c_) - ((h_) % (c_)))
 ...
2665: width = TAB_WIDTH (chars_per_c, input_position);
2666:
2667: if (untabify_input)
2668:   {
2669:       for (i = width; i; --i)
2670:         *s++ = ' ';
2671:       chars = width;
2672:   }

  Cristian


        
       
 

_______________________________________________
Bug-coreutils mailing list
Bug-coreutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-coreutils

Reply via email to