[vim/vim] xxd: buffer-overflow with specific flags (PR #14738)
Lennard Hofmann
This is a continuation of #14003.
xxd writes each output line into a global buffer before printing. The maximum size of that buffer was not calculated correctly.
This command was crashing in AddressSanitizer:
xxd -Ralways -g1 -c256 -d -o 9223372036854775808 /etc/passwd
This prints a line of 6680 bytes but the buffer only had room for 6549 bytes. If the output from "-b" was colored, the line could be even longer.
You can view, comment on, or merge this pull request online at:
https://github.com/vim/vim/pull/14738
Commit Summary
- 5a9f59a xxd: buffer-overflow with specific flags
File Changes
(1 file)
- M src/xxd/xxd.c (31)
Patch Links:
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
thanks, can you please add a test for this? See https://github.com/vim/vim/blob/master/src/testdir/test_xxd.vim
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Lennard Hofmann
@Ordoviz pushed 1 commit.
- 966494b xxd: buffer-overflow with specific flags
—
View it on GitHub.
You are receiving this because you are subscribed to this thread.
Lennard Hofmann
@Ordoviz commented on this pull request.
> @@ -411,6 +411,17 @@ func Test_xxd_max_cols()
endfor
endfunc
+
+" Try to trigger a buffer overflow (#14738)
+func Test_xxd_buffer_overflow()
+ new
+ let input = repeat('A', 256)
+ let expected = ' -9223372036854775808: ' . repeat("\e[1;32m41\e[0m ", 256) . ' ' . repeat("\e[1;32mA\e[0m", 256)
I don't know why the expected result starts with a space (it does not seem to be printed by xxd). I also think the offset shouldn't be negative but it is what it is.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Lennard Hofmann
@Ordoviz pushed 1 commit.
- 59baa82 Use tmp files to get rid of leading space
—
View it on GitHub.
You are receiving this because you are subscribed to this thread.
K.Takata
@k-takata commented on this pull request.
In src/xxd/xxd.c:
> + 39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \ + + 2 /* ": " */ \ + + 13 * COLS /* hex dump with colors */ \ + + (COLS - 1) /* whitespace between groups if "-g1" option given and "-c" maxed out */ \ + + 2 /* whitespace */ \ + + 12 * COLS /* ASCII dump with colors */ \ + + 2 /* "\n\0" */⬇️ Suggested change
- 39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \ - + 2 /* ": " */ \ - + 13 * COLS /* hex dump with colors */ \ - + (COLS - 1) /* whitespace between groups if "-g1" option given and "-c" maxed out */ \ - + 2 /* whitespace */ \ - + 12 * COLS /* ASCII dump with colors */ \ - + 2 /* "\n\0" */ + (39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \ + + 2 /* ": " */ \ + + 13 * COLS /* hex dump with colors */ \ + + (COLS - 1) /* whitespace between groups if "-g1" option given and "-c" maxed out */ \ + + 2 /* whitespace */ \ + + 12 * COLS /* ASCII dump with colors */ \ + + 2) /* "\n\0" */
It is better to surround with parentheses.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Lennard Hofmann
@Ordoviz pushed 1 commit.
- 224756c Add parentheses around C macro
—
View it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.