[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/30595] New: strings crashes when told to search for string
From: |
gabravier at gmail dot com |
Subject: |
[Bug binutils/30595] New: strings crashes when told to search for strings of size 0xFFFFFFFF |
Date: |
Thu, 29 Jun 2023 10:37:33 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=30595
Bug ID: 30595
Summary: strings crashes when told to search for strings of
size 0xFFFFFFFF
Product: binutils
Version: 2.41 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: gabravier at gmail dot com
Target Milestone: ---
Version of the utility:
$ ./binutils/strings --version
GNU strings (GNU Binutils) 2.40.50.20230629
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
Patches: None, the source code used is current HEAD (git commit
3933413e7887045bf1eed302040177bcfee92c2f)
Type of machine used, OS and version number:
$ uname -a
Linux fedora 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40
UTC 2023 x86_64 GNU/Linux
Compiler used to compile the utilities:
$ gcc --version
gcc (GCC) 13.1.1 20230614 (Red Hat 13.1.1-4)
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Command arguments used to reproduce the bug:
$ ./binutils/strings -n0xFFFFFFFF <(echo
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
double free or corruption (out)
Aborted (core dumped)
Behavior I observe that I believe is incorrect:
strings crashes. I believe it should output nothing as there are no strings
longer than 4294967295 characters in the provided input file.
The bug appears to be caused by the following code:
char *buf = (char *) xmalloc (sizeof (char) * (string_min + 1));
which ends up passing a value of 0 to xmalloc, which makes it allocate a 1-byte
buffer, which strings then proceeds to immediately overflow while trying to
read string_min characters into it.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/30595] New: strings crashes when told to search for strings of size 0xFFFFFFFF,
gabravier at gmail dot com <=