public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/coreutils] rawhide: unexpand: fix heap overflows
Date: Thu, 11 Jun 2026 09:36:52 GMT [thread overview]
Message-ID: <178117061298.1.15338920564930049854.rpms-coreutils-e65fb15ba529@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/coreutils
Branch : rawhide
Commit : e65fb15ba52915c188adce7e7df83813c3993990
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date : 2026-06-11T11:36:29+02:00
Stats : +122/-5 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/coreutils/c/e65fb15ba52915c188adce7e7df83813c3993990?branch=rawhide
Log:
unexpand: fix heap overflows
---
diff --git a/coreutils-9.11-unexpand-heap-overflows.patch b/coreutils-9.11-unexpand-heap-overflows.patch
new file mode 100644
index 0000000..3bab532
--- /dev/null
+++ b/coreutils-9.11-unexpand-heap-overflows.patch
@@ -0,0 +1,113 @@
+From f7d5b763f691b36603cdd2ac1fc79a6a731bddbf Mon Sep 17 00:00:00 2001
+From: Pádraig Brady <P@draigBrady.com>
+Date: Tue, 28 Apr 2026 20:33:10 +0100
+Subject: [PATCH] unexpand: fix heap overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* src/unexpand.c (unexpand): Use xinmalloc() to gracefully
+handle overflow. Also use the runtime locale specific MB_CUR_MAX
+rather than the worst case MB_LEN_MAX.
+* tests/unexpand/mb.sh: Add a test case that fails in a default
+glibc build with either MB_CUR_MAX or MB_LEN_MAX.
+Reported by Michał Majchrowicz.
+
+(cherry picked from commit b60a159fdc5bfcf9988d3a4cb6f53abe8ad5d35d)
+---
+ src/unexpand.c | 2 +-
+ tests/unexpand/mb.sh | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/unexpand.c b/src/unexpand.c
+index 4fbf9d3..761c8ea 100644
+--- a/src/unexpand.c
++++ b/src/unexpand.c
+@@ -131,7 +131,7 @@ unexpand (void)
+ /* The worst case is a non-blank character, then one blank, then a
+ tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
+ allocate MAX_COLUMN_WIDTH bytes to store the blanks. */
+- pending_blank = ximalloc (max_column_width * sizeof (char) * MB_LEN_MAX);
++ pending_blank = xinmalloc (max_column_width, MB_CUR_MAX);
+
+ while (true)
+ {
+diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
+index 76a2679..076a1c1 100755
+--- a/tests/unexpand/mb.sh
++++ b/tests/unexpand/mb.sh
+@@ -17,6 +17,7 @@
+
+ . "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+ print_ver_ unexpand printf
++getlimits_
+
+ test "$LOCALE_FR_UTF8" != none || skip_ "French UTF-8 locale not available"
+ export LC_ALL="$LOCALE_FR_UTF8"
+@@ -161,4 +162,11 @@ EOF
+ unexpand -a ./in ./in > out || fail=1
+ compare exp out > /dev/null 2>&1 || fail=1
+
++# Ensure overflow is handed gracefully
++# coreutils v9.11 induced a buffer overflow with mb_mul=4 (or 16).
++for mb_mul in 4 6; do
++ printf ' \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
++ test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
++done
++
+ Exit $fail
+--
+2.54.0
+
+From 528c740817d2235dd37269292c5e3167935d2761 Mon Sep 17 00:00:00 2001
+From: aizu-m <aizumusheer2@gmail.com>
+Date: Tue, 9 Jun 2026 12:37:06 +0530
+Subject: [PATCH] unexpand: fix heap overflow when a wide blank overshoots a
+ tab stop
+
+* src/unexpand.c (unexpand): Check if the column is greater or equal to
+the next_tab_column.
+* tests/unexpand/mb.sh: Add a test case.
+https://github.com/coreutils/coreutils/pull/285
+Copyright-paperwork-exempt: Yes
+
+(cherry picked from commit 4ade9cf77f6c7b39e3fdc5ce97a778f8e294694c)
+---
+ src/unexpand.c | 2 +-
+ tests/unexpand/mb.sh | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/unexpand.c b/src/unexpand.c
+index 761c8ea..3bde985 100644
+--- a/src/unexpand.c
++++ b/src/unexpand.c
+@@ -201,7 +201,7 @@ unexpand (void)
+ {
+ column += c32width (g.ch);
+
+- if (! (prev_blank && column == next_tab_column))
++ if (! (prev_blank && column >= next_tab_column))
+ {
+ /* It is not yet known whether the pending blanks
+ will be replaced by tabs. */
+diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
+index 076a1c1..84ba035 100755
+--- a/tests/unexpand/mb.sh
++++ b/tests/unexpand/mb.sh
+@@ -169,4 +169,13 @@ for mb_mul in 4 6; do
+ test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
+ done
+
++# A blank whose display width exceeds the tab distance must not overrun
++# the pending-blank buffer. With -t1 every column is a tab stop, so a
++# width-2 ideographic space steps over the stop without landing on it;
++# the run of blanks then grew pending_blank without bound.
++ideo_space=$(env printf '\u3000')
++{ yes "$ideo_space" | head -n 40000 | tr -d '\n'; echo; } |
++ unexpand -t1 >out 2>err; ret=$?
++test "$ret" = 0 || { cat err; fail=1; }
++
+ Exit $fail
+--
+2.54.0
+
diff --git a/coreutils.spec b/coreutils.spec
index 3decc17..0c3e516 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
Summary: A set of basic GNU tools commonly used in shell scripts
Name: coreutils
Version: 9.11
-Release: 2%{?dist}
+Release: 3%{?dist}
# some used parts of gnulib are under various variants of LGPL
License: GPL-3.0-or-later AND GFDL-1.3-no-invariants-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later
Url: https://www.gnu.org/software/coreutils/
@@ -34,6 +34,11 @@ Patch103: coreutils-python3.patch
# df --direct
Patch104: coreutils-df-direct.patch
+# unexpand: fix heap overflows
+# https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=b60a159fdc5bfcf9988d3a4cb6f53abe8ad5d35d
+# https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ade9cf77f6c7b39e3fdc5ce97a778f8e294694c
+Patch200: coreutils-9.11-unexpand-heap-overflows.patch
+
# (sb) lin18nux/lsb compliance - multibyte functionality patch
Patch800: coreutils-i18n.patch
@@ -158,10 +163,6 @@ find tests -name '*.sh' -perm 0644 -print -exec chmod 0755 '{}' '+'
# with coreutils 9.6 and bundled gettext 0.19.2 from gettext-common-devel.
sed -i "s/0.19.2/$(rpm -q --queryformat '%%{VERSION}\n' gettext-devel)/" bootstrap.conf configure.ac
-# rhbz#2463168: recent perl-IO-Tty (1.24+) breaks the misc/tty-eof.pl test
-# skip setting the custom eof char as workaround
-sed -i 's/set_tty_eof_char ($exp->slave, $eof_char);//' tests/misc/tty-eof.pl
-
%if 0%{?rhel}
# Temporarily disable test-getaddrinfo from gnulib because it malfunctions in
# the environment used to bootstrap RHEL.
@@ -289,6 +290,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
%license COPYING
%changelog
+* Thu Jun 11 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.11-3
+- unexpand: fix heap overflows
+
* Fri May 01 2026 Davide Bolcioni <dbolcioni@gmail.com> - 9.11-2
- fix coreutils.single dangling symlink (rhbz#2464618)
reply other threads:[~2026-06-11 9:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178117061298.1.15338920564930049854.rpms-coreutils-e65fb15ba529@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox