public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/coreutils] f43: unexpand: fix heap overflows
Date: Thu, 11 Jun 2026 10:53:07 GMT [thread overview]
Message-ID: <178117518730.1.9100247178732322792.rpms-coreutils-73520a03ad3a@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/coreutils
Branch : f43
Commit : 73520a03ad3a5783daa8b6d4005217ee874432d5
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date : 2026-06-11T12:46:46+02:00
Stats : +38/-18 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/coreutils/c/73520a03ad3a5783daa8b6d4005217ee874432d5?branch=f43
Log:
unexpand: fix heap overflows
---
diff --git a/coreutils-i18n.patch b/coreutils-i18n.patch
index cc7d43a..eb993ca 100644
--- a/coreutils-i18n.patch
+++ b/coreutils-i18n.patch
@@ -10,18 +10,18 @@ Subject: [PATCH] coreutils-i18n.patch
lib/mbchar.c | 23 ++
lib/mbchar.h | 383 +++++++++++++++++
lib/mbfile.c | 20 +
- lib/mbfile.h | 283 +++++++++++++
+ lib/mbfile.h | 277 +++++++++++++
m4/mbchar.m4 | 15 +
m4/mbfile.m4 | 16 +
src/cut.c | 508 +++++++++++++++++++++--
src/expand-common.c | 114 ++++++
src/expand-common.h | 12 +
src/expand.c | 90 +++-
- src/fold.c | 311 ++++++++++++--
+ src/fold.c | 312 ++++++++++++--
src/local.mk | 4 +-
src/pr.c | 443 ++++++++++++++++++--
src/sort.c | 790 +++++++++++++++++++++++++++++++++---
- src/unexpand.c | 101 ++++-
+ src/unexpand.c | 103 ++++-
tests/Coreutils.pm | 3 +
tests/expand/mb.sh | 183 +++++++++
tests/i18n/sort.sh | 29 ++
@@ -33,8 +33,8 @@ Subject: [PATCH] coreutils-i18n.patch
tests/pr/pr-tests.pl | 49 +++
tests/sort/sort-merge.pl | 42 ++
tests/sort/sort.pl | 40 +-
- tests/unexpand/mb.sh | 172 ++++++++
- 30 files changed, 3632 insertions(+), 195 deletions(-)
+ tests/unexpand/mb.sh | 189 +++++++++
+ 30 files changed, 3645 insertions(+), 196 deletions(-)
create mode 100644 lib/mbchar.c
create mode 100644 lib/mbchar.h
create mode 100644 lib/mbfile.c
@@ -548,7 +548,7 @@ index 0000000..f4e3e77
+#include "mbfile.h"
diff --git a/lib/mbfile.h b/lib/mbfile.h
new file mode 100644
-index 0000000..c852f31
+index 0000000..95c7c42
--- /dev/null
+++ b/lib/mbfile.h
@@ -0,0 +1,277 @@
@@ -1843,7 +1843,7 @@ index 5ec7ce9..65ac315 100644
}
diff --git a/src/fold.c b/src/fold.c
-index b64aad4..a156337 100644
+index b64aad4..241b17c 100644
--- a/src/fold.c
+++ b/src/fold.c
@@ -23,10 +23,32 @@
@@ -2247,7 +2247,7 @@ index b64aad4..a156337 100644
case 's': /* Break at word boundaries. */
diff --git a/src/local.mk b/src/local.mk
-index 188dda1..7db5753 100644
+index 3bfe814..e42bb79 100644
--- a/src/local.mk
+++ b/src/local.mk
@@ -478,8 +478,8 @@ src_base32_CPPFLAGS = -DBASE_TYPE=32 $(AM_CPPFLAGS)
@@ -4102,7 +4102,7 @@ index 7af1a25..d3dc684 100644
break;
diff --git a/src/unexpand.c b/src/unexpand.c
-index ff234d7..7c36ef6 100644
+index ff234d7..06ea637 100644
--- a/src/unexpand.c
+++ b/src/unexpand.c
@@ -39,6 +39,9 @@
@@ -4152,7 +4152,7 @@ index ff234d7..7c36ef6 100644
tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
allocate MAX_COLUMN_WIDTH bytes to store the blanks. */
- pending_blank = ximalloc (max_column_width);
-+ pending_blank = ximalloc (max_column_width * sizeof (mbf_char_t));
++ pending_blank = xinmalloc (max_column_width, sizeof (mbf_char_t));
+
+ if (found_bom == true)
+ print_bom();
@@ -4213,7 +4213,7 @@ index ff234d7..7c36ef6 100644
if (blank)
{
-@@ -175,16 +232,16 @@ unexpand (void)
+@@ -175,30 +232,31 @@ unexpand (void)
if (convert)
{
@@ -4231,9 +4231,10 @@ index ff234d7..7c36ef6 100644
- column++;
+ column += mb_width (c);
- if (! (prev_blank && column == next_tab_column))
+- if (! (prev_blank && column == next_tab_column))
++ if (! (prev_blank && column >= next_tab_column))
{
-@@ -192,13 +249,14 @@ unexpand (void)
+ /* It is not yet known whether the pending blanks
will be replaced by tabs. */
if (column == next_tab_column)
one_blank_before_tab_stop = true;
@@ -4321,7 +4322,7 @@ index b55fb9d..ac80f49 100644
warn "$program_name: $test_name: test name is too long (> $max)\n";
diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
new file mode 100644
-index 0000000..dd6007c
+index 0000000..6d6497a
--- /dev/null
+++ b/tests/expand/mb.sh
@@ -0,0 +1,183 @@
@@ -5016,10 +5017,10 @@ index 2ee92c4..96c7965 100755
my $verbose = $ENV{VERBOSE};
diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
new file mode 100644
-index 0000000..8a82d74
+index 0000000..9fa1823
--- /dev/null
+++ b/tests/unexpand/mb.sh
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,189 @@
+#!/bin/sh
+
+# Copyright (C) 2012-2015 Free Software Foundation, Inc.
@@ -5192,7 +5193,23 @@ index 0000000..8a82d74
+LC_ALL=C unexpand -a in in > out || fail=1
+compare exp out > /dev/null 2>&1 || fail=1
+
++# Ensure overflow is handed gracefully
++# coreutils v9.11 induced a buffer overflow with mb_mul=4 (or 16).
++for mb_mul in 4 6; do
++ printf ' \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
++ test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
++done
++
++# A blank whose display width exceeds the tab distance must not overrun
++# the pending-blank buffer. With -t1 every column is a tab stop, so a
++# width-2 ideographic space steps over the stop without landing on it;
++# the run of blanks then grew pending_blank without bound.
++ideo_space=$(env printf '\u3000')
++{ yes "$ideo_space" | head -n 40000 | tr -d '\n'; echo; } |
++ unexpand -t1 >out 2>err; ret=$?
++test "$ret" = 0 || { cat err; fail=1; }
++
+Exit $fail
--
-2.50.0
+2.54.0
diff --git a/coreutils.spec b/coreutils.spec
index ef4619a..5c39f7b 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
Summary: A set of basic GNU tools commonly used in shell scripts
Name: coreutils
Version: 9.7
-Release: 8%{?dist}
+Release: 9%{?dist}
# some used parts of gnulib are under various variants of LGPL
License: GPL-3.0-or-later AND GFDL-1.3-no-invariants-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later
Url: https://www.gnu.org/software/coreutils/
@@ -298,6 +298,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
%license COPYING
%changelog
+* Thu Jun 11 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.7-9
+- unexpand: fix heap overflows
+
* Mon Mar 09 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.7-8
- fix unexpand/expand crash on invalid multibyte characters (rhbz#2443041)
reply other threads:[~2026-06-11 10:53 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178117518730.1.9100247178732322792.rpms-coreutils-73520a03ad3a@fedoraproject.org \
--to=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox