[Bug binutils/30595] New: strings crashes when told to search for string

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/30595] New: strings crashes when told to search for string

From:	gabravier at gmail dot com
Subject:	[Bug binutils/30595] New: strings crashes when told to search for strings of size 0xFFFFFFFF
Date:	Thu, 29 Jun 2023 10:37:33 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=30595

            Bug ID: 30595
           Summary: strings crashes when told to search for strings of
                    size 0xFFFFFFFF
           Product: binutils
           Version: 2.41 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: gabravier at gmail dot com
  Target Milestone: ---

Version of the utility:
$ ./binutils/strings --version
GNU strings (GNU Binutils) 2.40.50.20230629
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

Patches: None, the source code used is current HEAD (git commit
3933413e7887045bf1eed302040177bcfee92c2f)

Type of machine used, OS and version number:
$ uname -a
Linux fedora 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40
UTC 2023 x86_64 GNU/Linux

Compiler used to compile the utilities:
$ gcc --version
gcc (GCC) 13.1.1 20230614 (Red Hat 13.1.1-4)
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Command arguments used to reproduce the bug:
$ ./binutils/strings -n0xFFFFFFFF <(echo
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
double free or corruption (out)
Aborted (core dumped)

Behavior I observe that I believe is incorrect:
strings crashes. I believe it should output nothing as there are no strings
longer than 4294967295 characters in the provided input file.



The bug appears to be caused by the following code:

  char *buf = (char *) xmalloc (sizeof (char) * (string_min + 1));

which ends up passing a value of 0 to xmalloc, which makes it allocate a 1-byte
buffer, which strings then proceeds to immediately overflow while trying to
read string_min characters into it.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug binutils/30595] New: strings crashes when told to search for strings of size 0xFFFFFFFF, gabravier at gmail dot com <=
- [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF, gabravier at gmail dot com, 2023/06/29
- [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF, nickc at redhat dot com, 2023/06/30
- [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF, cvs-commit at gcc dot gnu.org, 2023/06/30
- [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF, nickc at redhat dot com, 2023/06/30

Prev by Date: [Bug ld/30374] ld: Add --remap-inputs-file= to remap input files
Next by Date: [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF
Previous by thread: [Bug gas/30593] New: Tweak AArch64 gas tests so that they will work for COFF/PE based targets
Next by thread: [Bug binutils/30595] strings crashes when told to search for strings of size 0xFFFFFFFF
Index(es):
- Date
- Thread