https://sourceware.org/bugzilla/show_bug.cgi?id=30595
Bug ID: 30595 Summary: strings crashes when told to search for strings of size 0xFFFFFFFF Product: binutils Version: 2.41 (HEAD) Status: UNCONFIRMED Severity: normal Priority: P2 Component: binutils Assignee: unassigned at sourceware dot org Reporter: gabravier at gmail dot com Target Milestone: --- Version of the utility: $ ./binutils/strings --version GNU strings (GNU Binutils) 2.40.50.20230629 Copyright (C) 2023 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. Patches: None, the source code used is current HEAD (git commit 3933413e7887045bf1eed302040177bcfee92c2f) Type of machine used, OS and version number: $ uname -a Linux fedora 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023 x86_64 GNU/Linux Compiler used to compile the utilities: $ gcc --version gcc (GCC) 13.1.1 20230614 (Red Hat 13.1.1-4) Copyright (C) 2023 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Command arguments used to reproduce the bug: $ ./binutils/strings -n0xFFFFFFFF <(echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) double free or corruption (out) Aborted (core dumped) Behavior I observe that I believe is incorrect: strings crashes. I believe it should output nothing as there are no strings longer than 4294967295 characters in the provided input file. The bug appears to be caused by the following code: char *buf = (char *) xmalloc (sizeof (char) * (string_min + 1)); which ends up passing a value of 0 to xmalloc, which makes it allocate a 1-byte buffer, which strings then proceeds to immediately overflow while trying to read string_min characters into it. -- You are receiving this mail because: You are on the CC list for the bug.