[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Bug#1025940: info: buffer overflow in copy_converting()
From: |
Hilmar Preuße |
Subject: |
Fwd: Bug#1025940: info: buffer overflow in copy_converting() |
Date: |
Mon, 12 Dec 2022 13:31:39 +0100 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 |
Hello,
another one for you. The issue is reproducible with latest git checkout.
I could only test on amd64, where the error message looks differently.
hille@sid-amd64:~$ /usr/bin/info groff > /dev/null
realloc(): invalid next size
Aborted (core dumped)
Many thanks!
Hilmar
-------- Weitergeleitete Nachricht --------
Betreff: Bug#1025940: info: buffer overflow in copy_converting()
Weitersenden-Datum: Mon, 12 Dec 2022 09:51:01 +0000
Weitersenden-Von: Jakub Wilk <jwilk@jwilk.net>
Weitersenden-An: debian-bugs-dist@lists.debian.org
Weitersenden-CC: jwilk@jwilk.net, Debian TeX Task Force
<debian-tex-maint@lists.debian.org>
Datum: Mon, 12 Dec 2022 10:48:35 +0100
Von: Jakub Wilk <jwilk@jwilk.net>
Antwort an: Jakub Wilk <jwilk@jwilk.net>, 1025940@bugs.debian.org
An: submit@bugs.debian.org
Package: info
Version: 7.0.1-1
Some parts of groff.info make info(1) crash:
$ info groff > /dev/null
corrupted size vs. prev_size
Aborted
Valgrind says it's a buffer overflow:
Invalid write of size 1
at 0x48CAD69: internal_utf8_loop (loop.c:335)
by 0x48CAD69: __gconv_transform_internal_utf8 (skeleton.c:619)
by 0x485A467: gconv (skeleton.c:675)
by 0x48C61F7: __gconv (gconv.c:77)
by 0x48C5C5D: iconv (iconv.c:51)
by 0x12CA1F: text_buffer_iconv (util.c:358)
by 0x11C756: copy_converting (scan.c:702)
by 0x11C756: copy_input_to_output.part.0 (scan.c:870)
by 0x11E524: copy_input_to_output (scan.c:1643)
by 0x11E524: scan_node_contents (scan.c:1643)
by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
by 0x121762: dump_node_to_stream (session.c:3818)
by 0x127FEA: dump_nodes_to_file (session.c:3782)
by 0x10CA25: main (info.c:1062)
Address 0x4ca2ff5 is 0 bytes after a block of size 1,269 alloc'd
at 0x484556B: realloc (in
/usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x13093F: xrealloc (xmalloc.c:66)
by 0x12C977: text_buffer_alloc (util.c:327)
by 0x12C977: text_buffer_alloc (util.c:320)
by 0x11C710: copy_converting (scan.c:695)
by 0x11C710: copy_input_to_output.part.0 (scan.c:870)
by 0x11E524: copy_input_to_output (scan.c:1643)
by 0x11E524: scan_node_contents (scan.c:1643)
by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
by 0x121762: dump_node_to_stream (session.c:3818)
by 0x127FEA: dump_nodes_to_file (session.c:3782)
by 0x10CA25: main (info.c:1062)
-- System Information:
Architecture: i386
Versions of packages info depends on:
ii libc6 2.36-6
ii libtinfo6 6.3+20220423-2
ii install-info 6.8-6+b1
--
Jakub Wilk
- Fwd: Bug#1025940: info: buffer overflow in copy_converting(),
Hilmar Preuße <=