[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: integer overflow in /bin/ls
From: |
Jim Meyering |
Subject: |
Re: integer overflow in /bin/ls |
Date: |
Mon, 13 Oct 2003 22:51:18 +0200 |
Paul Eggert <address@hidden> wrote:
> Georgi Guninski <address@hidden> writes:
>
>> The heap is quite screwed, but ls is killed by the kernel due to
>> memory usage.
>
> Thanks for reporting the bug. As it happens, I had already been
> preparing a more general patch for address arithmetic overflow bugs in
> coreutils. A patch for the 'ls' problem is enclosed below. It causes
> 'ls' to immediately report "memory exhausted" for your example. It
> also fixes a few other related bugs (notably on 64-bit hosts).
>
>> Probably ls should not accept big ints after -w.
>
> 'ls' could impose an arbitrary limit on column width, but that would
> run counter to the "no arbitrary limits" policy of GNU.
>
>> As a side effect this causes temporary DoS in wu-ftpd.
>
> Perhaps wu-ftpd can refuse to invoke 'ls' with the -w option, or with
> a -w option that wu-ftpd thinks would use too much memory.
>
>
> 2003-10-13 Paul Eggert <address@hidden>
>
> Fix address-arithmetic bug in 'ls', reported by Georgi Guninski.
> Remove several arbitrary limits on hosts where int cannot represent
> all size_t values.
Thanks, Paul!
I've applied that.
As you probably noticed, init_column_info allocates O(N^2)
space when ls is invoked with `--width=N' and -x or -C.
Eventually we may want to investigate change the algorithm, or --
failing that -- limit N.