aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-08-25 19:53:53 -04:00
Code

patch 9.1.1616: xxd: possible buffer overflow with bitwise output

Browse Source 
Problem:  xxd: possible buffer overflow with bitwise output
          (after v9.1.1459, Xudong Cao)
Solution: Update LLEN_NO_COLOR macro definition for the max line output
          (using bitwise output -b)

fixes: #17944
closes: #17947

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt 2025-08-10 00:06:51 +02:00
parent 887b4981e7
commit eeef7c7743
No known key found for this signature in database
GPG Key ID: F3F92DA383FDDE09
4 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/testdir/test_xxd.vim
View File

@ -680,4 +680,25 @@ func Test_xxd_color2()
call delete('XXDfile_colors') call delete('XXDfile_colors')
unlet! $PS1 unlet! $PS1
endfunc endfunc
" this caused a buffer overflow
func Test_xxd_overflow()
CheckUnix
CheckExecutable /bin/true
new
" we are only checking, that there are addresses in the first 5 lines
let expected = [
\ '00000000: ',
\ '00000080: ',
\ '00000100: ',
\ '00000180: ',
\ '00000200: ']
exe "0r! " s:xxd_cmd "-b -E -c 128 -g 256 /bin/true 2>&1"
" there should not be an ASAN error message
call getline(1, '$')->join('\n')->assert_notmatch('runtime error')
6,$d
%s/^\x\+: \zs.*//g
call assert_equal(expected, getline(1, 5))
bw!
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@ -719,6 +719,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1616,
/**/ /**/
1615, 1615,
/**/ /**/

4
src/xxd/Makefile
View File

@ -1,7 +1,9 @@
# The most simplistic Makefile # The most simplistic Makefile
# SANITIZER_CFLAGS=-g -O0 -fsanitize-recover=all -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer
xxd: xxd.c xxd: xxd.c
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DUNIX -o xxd xxd.c $(LIBS) $(CC) $(SANITIZER_CFLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DUNIX -o xxd xxd.c $(LIBS)
clean: clean:
rm -f xxd xxd.o rm -f xxd xxd.o

7
src/xxd/xxd.c
View File

@ -148,7 +148,7 @@ extern void perror __P((char *));
# endif # endif
#endif #endif
char version[] = "xxd 2025-06-15 by Juergen Weigert et al."; char version[] = "xxd 2025-08-08 by Juergen Weigert et al.";
#ifdef WIN32 #ifdef WIN32
char osver[] = " (Win32)"; char osver[] = " (Win32)";
#else #else
@ -228,8 +228,7 @@ char osver[] = "";
#define LLEN_NO_COLOR \ #define LLEN_NO_COLOR \
(39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \ (39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \
+ 2 /* ": " */ \ + 2 /* ": " */ \
+ 2 * COLS /* hex dump */ \ + 9 * COLS /* hex dump, worst case: bitwise output using -b */ \
+ (COLS - 1) /* whitespace between groups if "-g1" option given and "-c" maxed out */ \
+ 2 /* whitespace */ \ + 2 /* whitespace */ \
+ COLS /* ASCII dump */ \ + COLS /* ASCII dump */ \
+ 2) /* "\n\0" */ + 2) /* "\n\0" */
@ -1182,9 +1181,7 @@ main(int argc, char *argv[])
c += addrlen + 3 + p; c += addrlen + 3 + p;
if (color) if (color)
{
colors[c] = cur_color; colors[c] = cur_color;
}
l[c++] = l[c++] =
#if defined(__MVS__) && __CHARSET_LIB == 0 #if defined(__MVS__) && __CHARSET_LIB == 0
(e >= 64) (e >= 64)