Package: bsdmainutils
Version: 9.0.5
Severity: important
If an input line to col exceeds 32k characters, an integer overflow may
cause col to attempt illegal memory reads and writes, and will also
truncate output lines.
This can easily be seen using the following command:
valgrind col < <(printf 'xx\b\b'; printf z%.0s {1..131072}) | wc -c
valgrind will report illegal reads and writes, and wc will show the
truncated output.
The following problem description is copied from a bug report to FreeBSD (
http://www.freebsd.org/cgi/query-pr.cgi?pr=186282), which uses a similar
source for col (the line numbers are different but the problem is the same).
----- COPY STARTS
At line 78 of col.c
(http://svnweb.freebsd.org/base/head/usr.bin/col/col.c),the c_column
member of the CHAR struct is declared as short:
short c_column; /* column character is in */
This value is set (for each character) at line 299 from cur_col
c->c_column = cur_col;
But cur_col is an int.
Consequently, if the input has a line of more than 32768 characters, the
assignment to c->c_column will produce an integer overflow, producing two
errors: first, the value of c->column may become negative, which may cause
random memory to be overwritten; second, it may limit the line's output
size to 32768 characters, overlaying portions of the line over other
portions.
The more serious issue, the buffer overrun, will be triggered in the case
that l->l_needs_sort is set to true at line 306, which will happen if input
characters are out of sequence as a result of backspaces in the input (more
than one consecutive backspace is required to trigger this condition). In
that case, control flow will eventually reach line 423:
count[c->c_column]++;
which may use a negative integer from c->c_column to index the malloc'd
region count.
While this is not likely to be exploitable, since the memory overwrite is
an increment rather than a set, it could certainly cause unpredictable
behaviour. In addition, the integer overflow will cause other problems for
input containing long lines.
--- COPY ENDS
As indicate in the FreeBSD bug report, the easiest (but insufficient) fix
is to make c_column a short rather than an int. However, that will still
result in integer overflow if an input line is 2^31 characters long, or
more; a better fix would be to check for overflow before incrementing
cur_col, in various places in the main input loop.
