[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
paste -d\\ crash bug
From: |
Cristian Cadar |
Subject: |
paste -d\\ crash bug |
Date: |
Wed, 26 Mar 2008 23:30:50 -0700 |
Hi Jim,
We found a crash bug in paste, due to an unbounded buffer overflow.
The bug is similar to the ptx bug that we reported earlier, and is due
to a lone backslash following the -d flag.
Here is an input that crashes libc on my machine:
$ paste -d\\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** glibc detected *** paste: free(): invalid next size (normal):
0x09035888 ***
The problem seems to be in collapse_escapes() which when given a lone
backslash, incorrectly advances 'strptr' past the end of the string, and
continues copying from there, overflowing the 'delims' buffer.
As usual, we appreciate your confirmation of the bug.
Cristian