paste -d\\ crash bug

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

paste -d\\ crash bug

From:	Cristian Cadar
Subject:	paste -d\\ crash bug
Date:	Wed, 26 Mar 2008 23:30:50 -0700

  Hi Jim,

  We found a crash bug in paste, due to an unbounded buffer overflow.
The bug is similar to the ptx bug that we reported earlier, and is due
to a lone backslash following the -d flag.
  Here is an input that crashes libc on my machine: 

$ paste -d\\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** glibc detected *** paste: free(): invalid next size (normal):
0x09035888 ***

  The problem seems to be in collapse_escapes() which when given a lone
backslash, incorrectly advances 'strptr' past the end of the string, and
continues copying from there, overflowing the 'delims' buffer.
  
  As usual, we appreciate your confirmation of the bug.

  Cristian

[Prev in Thread]

Current Thread

[Next in Thread]

FYI: mkdir -Z no-such-context DIR segfaults, Jim Meyering, 2008/03/25
- paste -d\\ crash bug, Cristian Cadar <=
  - Re: paste -d\\ crash bug, Jim Meyering, 2008/03/27

Prev by Date: Re: Bug#467378: coreutils: Please include a program to truncate files
Next by Date: Re: Not a bug, a wish
Previous by thread: FYI: mkdir -Z no-such-context DIR segfaults
Next by thread: Re: paste -d\\ crash bug
Index(es):
- Date
- Thread