Fwd: Bug#1025940: info: buffer overflow in copy

bug-texinfo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Bug#1025940: info: buffer overflow in copy_converting()

From:	Hilmar Preuße
Subject:	Fwd: Bug#1025940: info: buffer overflow in copy_converting()
Date:	Mon, 12 Dec 2022 13:31:39 +0100
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1

Hello,

another one for you. The issue is reproducible with latest git checkout.
I could only test on amd64, where the error message looks differently.

hille@sid-amd64:~$ /usr/bin/info groff > /dev/null
realloc(): invalid next size
Aborted (core dumped)

Many thanks!

Hilmar


-------- Weitergeleitete Nachricht --------
Betreff: Bug#1025940: info: buffer overflow in copy_converting()
Weitersenden-Datum: Mon, 12 Dec 2022 09:51:01 +0000
Weitersenden-Von: Jakub Wilk <jwilk@jwilk.net>
Weitersenden-An: debian-bugs-dist@lists.debian.org
Weitersenden-CC: jwilk@jwilk.net, Debian TeX Task Force
<debian-tex-maint@lists.debian.org>
Datum: Mon, 12 Dec 2022 10:48:35 +0100
Von: Jakub Wilk <jwilk@jwilk.net>
Antwort an: Jakub Wilk <jwilk@jwilk.net>, 1025940@bugs.debian.org
An: submit@bugs.debian.org

Package: info
Version: 7.0.1-1

Some parts of groff.info make info(1) crash:

   $ info groff > /dev/null
   corrupted size vs. prev_size
   Aborted

Valgrind says it's a buffer overflow:

   Invalid write of size 1
      at 0x48CAD69: internal_utf8_loop (loop.c:335)
      by 0x48CAD69: __gconv_transform_internal_utf8 (skeleton.c:619)
      by 0x485A467: gconv (skeleton.c:675)
      by 0x48C61F7: __gconv (gconv.c:77)
      by 0x48C5C5D: iconv (iconv.c:51)
      by 0x12CA1F: text_buffer_iconv (util.c:358)
      by 0x11C756: copy_converting (scan.c:702)
      by 0x11C756: copy_input_to_output.part.0 (scan.c:870)
      by 0x11E524: copy_input_to_output (scan.c:1643)
      by 0x11E524: scan_node_contents (scan.c:1643)
      by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
      by 0x121762: dump_node_to_stream (session.c:3818)
      by 0x127FEA: dump_nodes_to_file (session.c:3782)
      by 0x10CA25: main (info.c:1062)
    Address 0x4ca2ff5 is 0 bytes after a block of size 1,269 alloc'd
      at 0x484556B: realloc (in
/usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
      by 0x13093F: xrealloc (xmalloc.c:66)
      by 0x12C977: text_buffer_alloc (util.c:327)
      by 0x12C977: text_buffer_alloc (util.c:320)
      by 0x11C710: copy_converting (scan.c:695)
      by 0x11C710: copy_input_to_output.part.0 (scan.c:870)
      by 0x11E524: copy_input_to_output (scan.c:1643)
      by 0x11E524: scan_node_contents (scan.c:1643)
      by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
      by 0x121762: dump_node_to_stream (session.c:3818)
      by 0x127FEA: dump_nodes_to_file (session.c:3782)
      by 0x10CA25: main (info.c:1062)


-- System Information:
Architecture: i386

Versions of packages info depends on:
ii  libc6         2.36-6
ii  libtinfo6     6.3+20220423-2
ii  install-info  6.8-6+b1

--
Jakub Wilk

[Prev in Thread]

Current Thread

[Next in Thread]

Fwd: Bug#1025940: info: buffer overflow in copy_converting(), Hilmar Preuße <=
- Re: Fwd: Bug#1025940: info: buffer overflow in copy_converting(), Gavin Smith, 2022/12/12

Prev by Date: Re: protection of space inside @w is wrong
Next by Date: Re: Fwd: Bug#1025940: info: buffer overflow in copy_converting()
Previous by thread: Re: protection of space inside @w is wrong
Next by thread: Re: Fwd: Bug#1025940: info: buffer overflow in copy_converting()
Index(es):
- Date
- Thread