public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/coreutils] f44: unexpand: fix heap overflows
@ 2026-06-11 10:18
0 siblings, 0 replies; only message in thread
From: @ 2026-06-11 10:18 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/coreutils
Branch : f44
Commit : 54dd389f147793a4ef63ee65026c2e0d18f42181
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date : 2026-06-11T12:12:04+02:00
Stats : +49/-29 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/coreutils/c/54dd389f147793a4ef63ee65026c2e0d18f42181?branch=f44
Log:
unexpand: fix heap overflows
---
diff --git a/coreutils-i18n.patch b/coreutils-i18n.patch
index e35390c..551c485 100644
--- a/coreutils-i18n.patch
+++ b/coreutils-i18n.patch
@@ -7,10 +7,10 @@ Subject: [PATCH] coreutils-i18n.patch
bootstrap.conf | 1 +
lib/linebuffer.h | 8 +
src/cut.c | 508 +++++++++++++++++++++--
- src/expand.c | 36 +-
+ src/expand.c | 37 +-
src/pr.c | 443 ++++++++++++++++++--
src/sort.c | 791 +++++++++++++++++++++++++++++++++---
- src/unexpand.c | 43 +-
+ src/unexpand.c | 45 +-
tests/Coreutils.pm | 3 +
tests/expand/expand.pl | 42 ++
tests/expand/mb.sh | 171 ++++++++
@@ -20,16 +20,16 @@ Subject: [PATCH] coreutils-i18n.patch
tests/pr/pr-tests.pl | 49 +++
tests/sort/sort-merge.pl | 42 ++
tests/sort/sort.pl | 40 +-
- tests/unexpand/mb.sh | 163 ++++++++
+ tests/unexpand/mb.sh | 179 ++++++++
tests/unexpand/unexpand.pl | 39 ++
- 18 files changed, 2301 insertions(+), 156 deletions(-)
+ 18 files changed, 2319 insertions(+), 157 deletions(-)
create mode 100644 tests/expand/mb.sh
create mode 100644 tests/i18n/sort.sh
create mode 100644 tests/misc/sort-mb-tests.sh
create mode 100644 tests/unexpand/mb.sh
diff --git a/bootstrap.conf b/bootstrap.conf
-index 07ab7e7..3e08f8a 100644
+index 07ab7e7e..3e08f8ab 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -171,6 +171,7 @@ gnulib_modules="
@@ -41,7 +41,7 @@ index 07ab7e7..3e08f8a 100644
mbrtoc32
mbrtowc
diff --git a/lib/linebuffer.h b/lib/linebuffer.h
-index af22d27..80119f4 100644
+index af22d27b..80119f4b 100644
--- a/lib/linebuffer.h
+++ b/lib/linebuffer.h
@@ -27,6 +27,11 @@ extern "C" {
@@ -67,7 +67,7 @@ index af22d27..80119f4 100644
/* Initialize linebuffer LINEBUFFER for use. */
diff --git a/src/cut.c b/src/cut.c
-index 93f2b1f..9d93ea7 100644
+index 93f2b1f1..9d93ea77 100644
--- a/src/cut.c
+++ b/src/cut.c
@@ -27,6 +27,11 @@
@@ -727,7 +727,7 @@ index 93f2b1f..9d93ea7 100644
if (have_read_stdin && fclose (stdin) == EOF)
diff --git a/src/expand.c b/src/expand.c
-index cbf659c..19b36b6 100644
+index cbf659c1..a33c847b 100644
--- a/src/expand.c
+++ b/src/expand.c
@@ -37,7 +37,11 @@
@@ -820,7 +820,7 @@ index cbf659c..19b36b6 100644
}
diff --git a/src/pr.c b/src/pr.c
-index cb2d45d..bf21323 100644
+index cb2d45d5..bf213236 100644
--- a/src/pr.c
+++ b/src/pr.c
@@ -311,6 +311,24 @@
@@ -1591,7 +1591,7 @@ index cb2d45d..bf21323 100644
looking for more options and printing the next batch of files.
diff --git a/src/sort.c b/src/sort.c
-index eaf06d2..edb8130 100644
+index eaf06d25..edb81303 100644
--- a/src/sort.c
+++ b/src/sort.c
@@ -29,6 +29,15 @@
@@ -2661,7 +2661,7 @@ index eaf06d2..edb8130 100644
break;
diff --git a/src/unexpand.c b/src/unexpand.c
-index b92a951..24041a9 100644
+index b92a9517..720ff5be 100644
--- a/src/unexpand.c
+++ b/src/unexpand.c
@@ -38,7 +38,11 @@
@@ -2688,7 +2688,7 @@ index b92a951..24041a9 100644
tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
allocate MAX_COLUMN_WIDTH bytes to store the blanks. */
- pending_blank = ximalloc (max_column_width);
-+ pending_blank = ximalloc (max_column_width * sizeof (char) * MB_LEN_MAX);
++ pending_blank = xinmalloc (max_column_width, MB_CUR_MAX);
while (true)
{
@@ -2723,16 +2723,17 @@ index b92a951..24041a9 100644
{
column = next_tab_column;
-@@ -190,7 +198,7 @@ unexpand (void)
+@@ -190,21 +198,25 @@ unexpand (void)
}
else
{
- column++;
+ column += c32width (g.ch);
- if (! (prev_blank && column == next_tab_column))
+- if (! (prev_blank && column == next_tab_column))
++ if (! (prev_blank && column >= next_tab_column))
{
-@@ -198,13 +206,17 @@ unexpand (void)
+ /* It is not yet known whether the pending blanks
will be replaced by tabs. */
if (column == next_tab_column)
one_blank_before_tab_stop = true;
@@ -2794,7 +2795,7 @@ index b92a951..24041a9 100644
}
diff --git a/tests/Coreutils.pm b/tests/Coreutils.pm
-index 393a8c8..fbecab3 100644
+index 393a8c8d..fbecab3d 100644
--- a/tests/Coreutils.pm
+++ b/tests/Coreutils.pm
@@ -269,6 +269,9 @@ sub run_tests ($$$$$)
@@ -2808,7 +2809,7 @@ index 393a8c8..fbecab3 100644
{
warn "$program_name: $test_name: test name is too long (> $max)\n";
diff --git a/tests/expand/expand.pl b/tests/expand/expand.pl
-index aea388a..5312dba 100755
+index aea388ab..5312dbae 100755
--- a/tests/expand/expand.pl
+++ b/tests/expand/expand.pl
@@ -27,6 +27,15 @@ my $prog = 'expand';
@@ -2876,7 +2877,7 @@ index aea388a..5312dba 100755
diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
new file mode 100644
-index 0000000..64fe125
+index 00000000..64fe1259
--- /dev/null
+++ b/tests/expand/mb.sh
@@ -0,0 +1,171 @@
@@ -3053,7 +3054,7 @@ index 0000000..64fe125
+Exit $fail
diff --git a/tests/i18n/sort.sh b/tests/i18n/sort.sh
new file mode 100644
-index 0000000..26c95de
+index 00000000..26c95de9
--- /dev/null
+++ b/tests/i18n/sort.sh
@@ -0,0 +1,29 @@
@@ -3087,7 +3088,7 @@ index 0000000..26c95de
+
+Exit $fail
diff --git a/tests/local.mk b/tests/local.mk
-index 1682d1b..b341dd9 100644
+index 1682d1b8..b341dd98 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -423,6 +423,8 @@ all_tests = \
@@ -3117,7 +3118,7 @@ index 1682d1b..b341dd9 100644
# See tests/factor/create-test.sh.
diff --git a/tests/misc/sort-mb-tests.sh b/tests/misc/sort-mb-tests.sh
new file mode 100644
-index 0000000..11836ba
+index 00000000..11836baa
--- /dev/null
+++ b/tests/misc/sort-mb-tests.sh
@@ -0,0 +1,45 @@
@@ -3167,7 +3168,7 @@ index 0000000..11836ba
+
+Exit $fail
diff --git a/tests/pr/pr-tests.pl b/tests/pr/pr-tests.pl
-index 812e215..888df41 100755
+index 812e215a..888df418 100755
--- a/tests/pr/pr-tests.pl
+++ b/tests/pr/pr-tests.pl
@@ -24,6 +24,15 @@ use strict;
@@ -3236,7 +3237,7 @@ index 812e215..888df41 100755
my $verbose = $ENV{VERBOSE};
diff --git a/tests/sort/sort-merge.pl b/tests/sort/sort-merge.pl
-index 3382479..fb4702c 100755
+index 33824790..fb4702c3 100755
--- a/tests/sort/sort-merge.pl
+++ b/tests/sort/sort-merge.pl
@@ -26,6 +26,15 @@ my $prog = 'sort';
@@ -3296,7 +3297,7 @@ index 3382479..fb4702c 100755
my $verbose = $ENV{VERBOSE};
diff --git a/tests/sort/sort.pl b/tests/sort/sort.pl
-index e37a746..3554bea 100755
+index e37a746e..3554beab 100755
--- a/tests/sort/sort.pl
+++ b/tests/sort/sort.pl
@@ -24,10 +24,15 @@ my $prog = 'sort';
@@ -3365,10 +3366,10 @@ index e37a746..3554bea 100755
my $verbose = $ENV{VERBOSE};
diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
new file mode 100644
-index 0000000..e505b5d
+index 00000000..5d2a0785
--- /dev/null
+++ b/tests/unexpand/mb.sh
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,179 @@
+#!/bin/sh
+
+# Copyright (C) 2012-2015 Free Software Foundation, Inc.
@@ -3531,9 +3532,25 @@ index 0000000..e505b5d
+unexpand -a in in > out || fail=1
+compare exp out > /dev/null 2>&1 || fail=1
+
++# Ensure overflow is handed gracefully
++# coreutils v9.11 induced a buffer overflow with mb_mul=4 (or 16).
++for mb_mul in 4 6; do
++ printf ' \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
++ test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
++done
++
++# A blank whose display width exceeds the tab distance must not overrun
++# the pending-blank buffer. With -t1 every column is a tab stop, so a
++# width-2 ideographic space steps over the stop without landing on it;
++# the run of blanks then grew pending_blank without bound.
++ideo_space=$(env printf '\u3000')
++{ yes "$ideo_space" | head -n 40000 | tr -d '\n'; echo; } |
++ unexpand -t1 >out 2>err; ret=$?
++test "$ret" = 0 || { cat err; fail=1; }
++
+Exit $fail
diff --git a/tests/unexpand/unexpand.pl b/tests/unexpand/unexpand.pl
-index fd64f0f..0c718ab 100755
+index fd64f0fc..0c718ab2 100755
--- a/tests/unexpand/unexpand.pl
+++ b/tests/unexpand/unexpand.pl
@@ -27,6 +27,14 @@ my $limits = getlimits ();
@@ -3590,5 +3607,5 @@ index fd64f0f..0c718ab 100755
my $verbose = $ENV{VERBOSE};
--
-2.53.0
+2.54.0
diff --git a/coreutils.spec b/coreutils.spec
index c864237..fe8b56b 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
Summary: A set of basic GNU tools commonly used in shell scripts
Name: coreutils
Version: 9.10
-Release: 3%{?dist}
+Release: 4%{?dist}
# some used parts of gnulib are under various variants of LGPL
License: GPL-3.0-or-later AND GFDL-1.3-no-invariants-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later
Url: https://www.gnu.org/software/coreutils/
@@ -290,6 +290,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
%license COPYING
%changelog
+* Thu Jun 11 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.10-4
+- unexpand: fix heap overflows
+
* Thu Mar 05 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.10-3
- fix possible hangups during testsuite execution
- rewrite (un)expand multibyte support using the mbbuf module (rhbz#2443041)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-11 10:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-11 10:18 [rpms/coreutils] f44: unexpand: fix heap overflows
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox