[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

paste -d\\ crash bug

From: Cristian Cadar
Subject: paste -d\\ crash bug
Date: Wed, 26 Mar 2008 23:30:50 -0700

  Hi Jim,

  We found a crash bug in paste, due to an unbounded buffer overflow.
The bug is similar to the ptx bug that we reported earlier, and is due
to a lone backslash following the -d flag.
  Here is an input that crashes libc on my machine: 

$ paste -d\\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
*** glibc detected *** paste: free(): invalid next size (normal):
0x09035888 ***

  The problem seems to be in collapse_escapes() which when given a lone
backslash, incorrectly advances 'strptr' past the end of the string, and
continues copying from there, overflowing the 'delims' buffer.
  As usual, we appreciate your confirmation of the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]