[rpms/coreutils] f44: unexpand: fix heap overflows

A new commit has been pushed.

Repo   : rpms/coreutils
Branch : f44
Commit : 54dd389f147793a4ef63ee65026c2e0d18f42181
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date   : 2026-06-11T12:12:04+02:00
Stats  : +49/-29 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/coreutils/c/54dd389f147793a4ef63ee65026c2e0d18f42181?branch=f44

Log:
unexpand: fix heap overflows

---
diff --git a/coreutils-i18n.patch b/coreutils-i18n.patch
index e35390c..551c485 100644
--- a/coreutils-i18n.patch
+++ b/coreutils-i18n.patch
@@ -7,10 +7,10 @@ Subject: [PATCH] coreutils-i18n.patch
  bootstrap.conf              |   1 +
  lib/linebuffer.h            |   8 +
  src/cut.c                   | 508 +++++++++++++++++++++--
- src/expand.c                |  36 +-
+ src/expand.c                |  37 +-
  src/pr.c                    | 443 ++++++++++++++++++--
  src/sort.c                  | 791 +++++++++++++++++++++++++++++++++---
- src/unexpand.c              |  43 +-
+ src/unexpand.c              |  45 +-
  tests/Coreutils.pm          |   3 +
  tests/expand/expand.pl      |  42 ++
  tests/expand/mb.sh          | 171 ++++++++
@@ -20,16 +20,16 @@ Subject: [PATCH] coreutils-i18n.patch
  tests/pr/pr-tests.pl        |  49 +++
  tests/sort/sort-merge.pl    |  42 ++
  tests/sort/sort.pl          |  40 +-
- tests/unexpand/mb.sh        | 163 ++++++++
+ tests/unexpand/mb.sh        | 179 ++++++++
  tests/unexpand/unexpand.pl  |  39 ++
- 18 files changed, 2301 insertions(+), 156 deletions(-)
+ 18 files changed, 2319 insertions(+), 157 deletions(-)
  create mode 100644 tests/expand/mb.sh
  create mode 100644 tests/i18n/sort.sh
  create mode 100644 tests/misc/sort-mb-tests.sh
  create mode 100644 tests/unexpand/mb.sh
 
 diff --git a/bootstrap.conf b/bootstrap.conf
-index 07ab7e7..3e08f8a 100644
+index 07ab7e7e..3e08f8ab 100644
 --- a/bootstrap.conf
 +++ b/bootstrap.conf
 @@ -171,6 +171,7 @@ gnulib_modules="
@@ -41,7 +41,7 @@ index 07ab7e7..3e08f8a 100644
    mbrtoc32
    mbrtowc
 diff --git a/lib/linebuffer.h b/lib/linebuffer.h
-index af22d27..80119f4 100644
+index af22d27b..80119f4b 100644
 --- a/lib/linebuffer.h
 +++ b/lib/linebuffer.h
 @@ -27,6 +27,11 @@ extern "C" {
@@ -67,7 +67,7 @@ index af22d27..80119f4 100644
  
  /* Initialize linebuffer LINEBUFFER for use. */
 diff --git a/src/cut.c b/src/cut.c
-index 93f2b1f..9d93ea7 100644
+index 93f2b1f1..9d93ea77 100644
 --- a/src/cut.c
 +++ b/src/cut.c
 @@ -27,6 +27,11 @@
@@ -727,7 +727,7 @@ index 93f2b1f..9d93ea7 100644
  
    if (have_read_stdin && fclose (stdin) == EOF)
 diff --git a/src/expand.c b/src/expand.c
-index cbf659c..19b36b6 100644
+index cbf659c1..a33c847b 100644
 --- a/src/expand.c
 +++ b/src/expand.c
 @@ -37,7 +37,11 @@
@@ -820,7 +820,7 @@ index cbf659c..19b36b6 100644
  }
  
 diff --git a/src/pr.c b/src/pr.c
-index cb2d45d..bf21323 100644
+index cb2d45d5..bf213236 100644
 --- a/src/pr.c
 +++ b/src/pr.c
 @@ -311,6 +311,24 @@
@@ -1591,7 +1591,7 @@ index cb2d45d..bf21323 100644
     looking for more options and printing the next batch of files.
  
 diff --git a/src/sort.c b/src/sort.c
-index eaf06d2..edb8130 100644
+index eaf06d25..edb81303 100644
 --- a/src/sort.c
 +++ b/src/sort.c
 @@ -29,6 +29,15 @@
@@ -2661,7 +2661,7 @@ index eaf06d2..edb8130 100644
            break;
  
 diff --git a/src/unexpand.c b/src/unexpand.c
-index b92a951..24041a9 100644
+index b92a9517..720ff5be 100644
 --- a/src/unexpand.c
 +++ b/src/unexpand.c
 @@ -38,7 +38,11 @@
@@ -2688,7 +2688,7 @@ index b92a951..24041a9 100644
       tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
       allocate MAX_COLUMN_WIDTH bytes to store the blanks.  */
 -  pending_blank = ximalloc (max_column_width);
-+  pending_blank = ximalloc (max_column_width * sizeof (char) * MB_LEN_MAX);
++  pending_blank = xinmalloc (max_column_width, MB_CUR_MAX);
  
    while (true)
      {
@@ -2723,16 +2723,17 @@ index b92a951..24041a9 100644
                          {
                            column = next_tab_column;
  
-@@ -190,7 +198,7 @@ unexpand (void)
+@@ -190,21 +198,25 @@ unexpand (void)
                          }
                        else
                          {
 -                          column++;
 +                          column += c32width (g.ch);
  
-                           if (! (prev_blank && column == next_tab_column))
+-                          if (! (prev_blank && column == next_tab_column))
++                          if (! (prev_blank && column >= next_tab_column))
                              {
-@@ -198,13 +206,17 @@ unexpand (void)
+                               /* It is not yet known whether the pending blanks
                                   will be replaced by tabs.  */
                                if (column == next_tab_column)
                                  one_blank_before_tab_stop = true;
@@ -2794,7 +2795,7 @@ index b92a951..24041a9 100644
  }
  
 diff --git a/tests/Coreutils.pm b/tests/Coreutils.pm
-index 393a8c8..fbecab3 100644
+index 393a8c8d..fbecab3d 100644
 --- a/tests/Coreutils.pm
 +++ b/tests/Coreutils.pm
 @@ -269,6 +269,9 @@ sub run_tests ($$$$$)
@@ -2808,7 +2809,7 @@ index 393a8c8..fbecab3 100644
          {
            warn "$program_name: $test_name: test name is too long (> $max)\n";
 diff --git a/tests/expand/expand.pl b/tests/expand/expand.pl
-index aea388a..5312dba 100755
+index aea388ab..5312dbae 100755
 --- a/tests/expand/expand.pl
 +++ b/tests/expand/expand.pl
 @@ -27,6 +27,15 @@ my $prog = 'expand';
@@ -2876,7 +2877,7 @@ index aea388a..5312dba 100755
  
 diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
 new file mode 100644
-index 0000000..64fe125
+index 00000000..64fe1259
 --- /dev/null
 +++ b/tests/expand/mb.sh
 @@ -0,0 +1,171 @@
@@ -3053,7 +3054,7 @@ index 0000000..64fe125
 +Exit $fail
 diff --git a/tests/i18n/sort.sh b/tests/i18n/sort.sh
 new file mode 100644
-index 0000000..26c95de
+index 00000000..26c95de9
 --- /dev/null
 +++ b/tests/i18n/sort.sh
 @@ -0,0 +1,29 @@
@@ -3087,7 +3088,7 @@ index 0000000..26c95de
 +
 +Exit $fail
 diff --git a/tests/local.mk b/tests/local.mk
-index 1682d1b..b341dd9 100644
+index 1682d1b8..b341dd98 100644
 --- a/tests/local.mk
 +++ b/tests/local.mk
 @@ -423,6 +423,8 @@ all_tests =					\
@@ -3117,7 +3118,7 @@ index 1682d1b..b341dd9 100644
  # See tests/factor/create-test.sh.
 diff --git a/tests/misc/sort-mb-tests.sh b/tests/misc/sort-mb-tests.sh
 new file mode 100644
-index 0000000..11836ba
+index 00000000..11836baa
 --- /dev/null
 +++ b/tests/misc/sort-mb-tests.sh
 @@ -0,0 +1,45 @@
@@ -3167,7 +3168,7 @@ index 0000000..11836ba
 +
 +Exit $fail
 diff --git a/tests/pr/pr-tests.pl b/tests/pr/pr-tests.pl
-index 812e215..888df41 100755
+index 812e215a..888df418 100755
 --- a/tests/pr/pr-tests.pl
 +++ b/tests/pr/pr-tests.pl
 @@ -24,6 +24,15 @@ use strict;
@@ -3236,7 +3237,7 @@ index 812e215..888df41 100755
  my $verbose = $ENV{VERBOSE};
  
 diff --git a/tests/sort/sort-merge.pl b/tests/sort/sort-merge.pl
-index 3382479..fb4702c 100755
+index 33824790..fb4702c3 100755
 --- a/tests/sort/sort-merge.pl
 +++ b/tests/sort/sort-merge.pl
 @@ -26,6 +26,15 @@ my $prog = 'sort';
@@ -3296,7 +3297,7 @@ index 3382479..fb4702c 100755
  my $verbose = $ENV{VERBOSE};
  
 diff --git a/tests/sort/sort.pl b/tests/sort/sort.pl
-index e37a746..3554bea 100755
+index e37a746e..3554beab 100755
 --- a/tests/sort/sort.pl
 +++ b/tests/sort/sort.pl
 @@ -24,10 +24,15 @@ my $prog = 'sort';
@@ -3365,10 +3366,10 @@ index e37a746..3554bea 100755
  my $verbose = $ENV{VERBOSE};
 diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
 new file mode 100644
-index 0000000..e505b5d
+index 00000000..5d2a0785
 --- /dev/null
 +++ b/tests/unexpand/mb.sh
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,179 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2012-2015 Free Software Foundation, Inc.
@@ -3531,9 +3532,25 @@ index 0000000..e505b5d
 +unexpand -a in in > out || fail=1
 +compare exp out > /dev/null 2>&1 || fail=1
 +
++# Ensure overflow is handed gracefully
++# coreutils v9.11 induced a buffer overflow with mb_mul=4 (or 16).
++for mb_mul in 4 6; do
++  printf '   \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
++  test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
++done
++
++# A blank whose display width exceeds the tab distance must not overrun
++# the pending-blank buffer.  With -t1 every column is a tab stop, so a
++# width-2 ideographic space steps over the stop without landing on it;
++# the run of blanks then grew pending_blank without bound.
++ideo_space=$(env printf '\u3000')
++{ yes "$ideo_space" | head -n 40000 | tr -d '\n'; echo; } |
++  unexpand -t1 >out 2>err; ret=$?
++test "$ret" = 0 || { cat err; fail=1; }
++
 +Exit $fail
 diff --git a/tests/unexpand/unexpand.pl b/tests/unexpand/unexpand.pl
-index fd64f0f..0c718ab 100755
+index fd64f0fc..0c718ab2 100755
 --- a/tests/unexpand/unexpand.pl
 +++ b/tests/unexpand/unexpand.pl
 @@ -27,6 +27,14 @@ my $limits = getlimits ();
@@ -3590,5 +3607,5 @@ index fd64f0f..0c718ab 100755
  my $verbose = $ENV{VERBOSE};
  
 -- 
-2.53.0
+2.54.0
 

diff --git a/coreutils.spec b/coreutils.spec
index c864237..fe8b56b 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 9.10
-Release: 3%{?dist}
+Release: 4%{?dist}
 # some used parts of gnulib are under various variants of LGPL
 License: GPL-3.0-or-later AND GFDL-1.3-no-invariants-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later
 Url:     https://www.gnu.org/software/coreutils/
@@ -290,6 +290,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %license COPYING
 
 %changelog
+* Thu Jun 11 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.10-4
+- unexpand: fix heap overflows
+
 * Thu Mar 05 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.10-3
 - fix possible hangups during testsuite execution
 - rewrite (un)expand multibyte support using the mbbuf module (rhbz#2443041)