On 23/06/2025 09:21, Jaehoon Jang wrote:
Potential Out-of-Memory Risk in coreutils od Due to Inadequate Argument
Validation for -w Option
*Description*
```
$ src/od -w0 /bin/ls
Aborted
```
Well we shouldn't be aborting at least.
The attached patch should avoid that.
thanks,
Padraig
From 777863c347d2730d47439bc38219fc296b3cd47f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <p...@draigbrady.com>
Date: Tue, 24 Jun 2025 15:47:48 +0100
Subject: [PATCH] od: output standard diagnostics for invalid -w arguments
* src/od.c (main): Don't pass LONGINT_OK to xstrtol_fatal(),
as otherwise it will abort().
* tests/od/od.pl: Add test cases.
* NEWS: Mention the bug fix.
Addresses https://bugs.gnu.org/78879
---
NEWS | 4 ++++
src/od.c | 4 +++-
tests/od/od.pl | 12 +++++++++++-
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index a05d8f1ba..60914a6e2 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ GNU coreutils NEWS -*- outline -*-
write a NUL byte after a heap buffer, or output invalid addresses.
[These bugs were present in "the beginning".]
+ 'od -w foo' will now issue a diagnostic an exit.
+ Previously it would have aborted, possibly with a core dump.
+ [bug introduced in coreutils-9.3]
+
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer. For example:
'sort +0.18446744073709551615R input' on 64 bit systems.
diff --git a/src/od.c b/src/od.c
index 1c9774142..426c7deee 100644
--- a/src/od.c
+++ b/src/od.c
@@ -1818,7 +1818,9 @@ main (int argc, char **argv)
{
intmax_t w_tmp;
s_err = xstrtoimax (optarg, nullptr, 10, &w_tmp, "");
- if (s_err != LONGINT_OK || w_tmp <= 0)
+ if (s_err == LONGINT_OK && w_tmp <= 0)
+ s_err = LONGINT_INVALID;
+ if (s_err != LONGINT_OK)
xstrtol_fatal (s_err, oi, c, long_options, optarg);
if (ckd_add (&desired_width, w_tmp, 0))
error (EXIT_FAILURE, 0, _("%s is too large"), quote (optarg));
diff --git a/tests/od/od.pl b/tests/od/od.pl
index affdc75ae..5bb271e60 100755
--- a/tests/od/od.pl
+++ b/tests/od/od.pl
@@ -23,6 +23,8 @@ use strict;
# Turn off localization of executable's output.
@ENV{qw(LANGUAGE LANG LC_ALL)} = ('C') x 3;
+my $prog = 'od';
+
# Use a file in /proc whose size is not likely to
# change between the wc and od invocations.
my $proc_file = '/proc/version';
@@ -64,11 +66,19 @@ my @Tests =
['wide-a', '-a -w65537 -An', {IN=>{g=>'x'}}, {OUT=>" x\n"}],
['wide-c', '-c -w65537 -An', {IN=>{g=>'x'}}, {OUT=>" x\n"}],
['wide-x', '-tx1 -w65537 -An', {IN=>{g=>'B'}}, {OUT=>" 42\n"}],
+
+ # Ensure that invalid widths do not cause trouble.
+ # From coreutils-9.3 through coreutils-9.7, these would abort
+ ['invalid-w-1', '-w0 -An', {IN=>""}, {EXIT=>1},
+ {ERR=>"$prog: invalid -w argument '0'\n"}],
+ ['invalid-w-2', '-w-1 -An', {IN=>""}, {EXIT=>1},
+ {ERR=>"$prog: invalid -w argument '-1'\n"}],
+ ['invalid-w-3', '-ww -An', {IN=>""}, {EXIT=>1},
+ {ERR=>"$prog: invalid -w argument 'w'\n"}],
);
my $save_temps = $ENV{DEBUG};
my $verbose = $ENV{VERBOSE};
-my $prog = 'od';
my $fail = run_tests ($program_name, $prog, \@Tests, $save_temps, $verbose);
exit $fail;
--
2.49.0
