[rpms/coreutils] f43: unexpand: fix heap overflows

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/coreutils] f43: unexpand: fix heap overflows
@ 2026-06-11 10:53 
  0 siblings, 0 replies; only message in thread
From:  @ 2026-06-11 10:53 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/coreutils
Branch : f43
Commit : 73520a03ad3a5783daa8b6d4005217ee874432d5
Author : Lukáš Zaoral <lzaoral@redhat.com>
Date   : 2026-06-11T12:46:46+02:00
Stats  : +38/-18 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/coreutils/c/73520a03ad3a5783daa8b6d4005217ee874432d5?branch=f43

Log:
unexpand: fix heap overflows

---
diff --git a/coreutils-i18n.patch b/coreutils-i18n.patch
index cc7d43a..eb993ca 100644
--- a/coreutils-i18n.patch
+++ b/coreutils-i18n.patch
@@ -10,18 +10,18 @@ Subject: [PATCH] coreutils-i18n.patch
  lib/mbchar.c                |  23 ++
  lib/mbchar.h                | 383 +++++++++++++++++
  lib/mbfile.c                |  20 +
- lib/mbfile.h                | 283 +++++++++++++
+ lib/mbfile.h                | 277 +++++++++++++
  m4/mbchar.m4                |  15 +
  m4/mbfile.m4                |  16 +
  src/cut.c                   | 508 +++++++++++++++++++++--
  src/expand-common.c         | 114 ++++++
  src/expand-common.h         |  12 +
  src/expand.c                |  90 +++-
- src/fold.c                  | 311 ++++++++++++--
+ src/fold.c                  | 312 ++++++++++++--
  src/local.mk                |   4 +-
  src/pr.c                    | 443 ++++++++++++++++++--
  src/sort.c                  | 790 +++++++++++++++++++++++++++++++++---
- src/unexpand.c              | 101 ++++-
+ src/unexpand.c              | 103 ++++-
  tests/Coreutils.pm          |   3 +
  tests/expand/mb.sh          | 183 +++++++++
  tests/i18n/sort.sh          |  29 ++
@@ -33,8 +33,8 @@ Subject: [PATCH] coreutils-i18n.patch
  tests/pr/pr-tests.pl        |  49 +++
  tests/sort/sort-merge.pl    |  42 ++
  tests/sort/sort.pl          |  40 +-
- tests/unexpand/mb.sh        | 172 ++++++++
- 30 files changed, 3632 insertions(+), 195 deletions(-)
+ tests/unexpand/mb.sh        | 189 +++++++++
+ 30 files changed, 3645 insertions(+), 196 deletions(-)
  create mode 100644 lib/mbchar.c
  create mode 100644 lib/mbchar.h
  create mode 100644 lib/mbfile.c
@@ -548,7 +548,7 @@ index 0000000..f4e3e77
 +#include "mbfile.h"
 diff --git a/lib/mbfile.h b/lib/mbfile.h
 new file mode 100644
-index 0000000..c852f31
+index 0000000..95c7c42
 --- /dev/null
 +++ b/lib/mbfile.h
 @@ -0,0 +1,277 @@
@@ -1843,7 +1843,7 @@ index 5ec7ce9..65ac315 100644
  }
  
 diff --git a/src/fold.c b/src/fold.c
-index b64aad4..a156337 100644
+index b64aad4..241b17c 100644
 --- a/src/fold.c
 +++ b/src/fold.c
 @@ -23,10 +23,32 @@
@@ -2247,7 +2247,7 @@ index b64aad4..a156337 100644
  
          case 's':		/* Break at word boundaries. */
 diff --git a/src/local.mk b/src/local.mk
-index 188dda1..7db5753 100644
+index 3bfe814..e42bb79 100644
 --- a/src/local.mk
 +++ b/src/local.mk
 @@ -478,8 +478,8 @@ src_base32_CPPFLAGS = -DBASE_TYPE=32 $(AM_CPPFLAGS)
@@ -4102,7 +4102,7 @@ index 7af1a25..d3dc684 100644
            break;
  
 diff --git a/src/unexpand.c b/src/unexpand.c
-index ff234d7..7c36ef6 100644
+index ff234d7..06ea637 100644
 --- a/src/unexpand.c
 +++ b/src/unexpand.c
 @@ -39,6 +39,9 @@
@@ -4152,7 +4152,7 @@ index ff234d7..7c36ef6 100644
       tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
       allocate MAX_COLUMN_WIDTH bytes to store the blanks.  */
 -  pending_blank = ximalloc (max_column_width);
-+  pending_blank = ximalloc (max_column_width * sizeof (mbf_char_t));
++  pending_blank = xinmalloc (max_column_width, sizeof (mbf_char_t));
 +
 +  if (found_bom == true)
 +    print_bom();
@@ -4213,7 +4213,7 @@ index ff234d7..7c36ef6 100644
  
                if (blank)
                  {
-@@ -175,16 +232,16 @@ unexpand (void)
+@@ -175,30 +232,31 @@ unexpand (void)
  
                    if (convert)
                      {
@@ -4231,9 +4231,10 @@ index ff234d7..7c36ef6 100644
 -                          column++;
 +                          column += mb_width (c);
  
-                           if (! (prev_blank && column == next_tab_column))
+-                          if (! (prev_blank && column == next_tab_column))
++                          if (! (prev_blank && column >= next_tab_column))
                              {
-@@ -192,13 +249,14 @@ unexpand (void)
+                               /* It is not yet known whether the pending blanks
                                   will be replaced by tabs.  */
                                if (column == next_tab_column)
                                  one_blank_before_tab_stop = true;
@@ -4321,7 +4322,7 @@ index b55fb9d..ac80f49 100644
            warn "$program_name: $test_name: test name is too long (> $max)\n";
 diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
 new file mode 100644
-index 0000000..dd6007c
+index 0000000..6d6497a
 --- /dev/null
 +++ b/tests/expand/mb.sh
 @@ -0,0 +1,183 @@
@@ -5016,10 +5017,10 @@ index 2ee92c4..96c7965 100755
  my $verbose = $ENV{VERBOSE};
 diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
 new file mode 100644
-index 0000000..8a82d74
+index 0000000..9fa1823
 --- /dev/null
 +++ b/tests/unexpand/mb.sh
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,189 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2012-2015 Free Software Foundation, Inc.
@@ -5192,7 +5193,23 @@ index 0000000..8a82d74
 +LC_ALL=C unexpand -a in in > out || fail=1
 +compare exp out > /dev/null 2>&1 || fail=1
 +
++# Ensure overflow is handed gracefully
++# coreutils v9.11 induced a buffer overflow with mb_mul=4 (or 16).
++for mb_mul in 4 6; do
++  printf '   \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
++  test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
++done
++
++# A blank whose display width exceeds the tab distance must not overrun
++# the pending-blank buffer.  With -t1 every column is a tab stop, so a
++# width-2 ideographic space steps over the stop without landing on it;
++# the run of blanks then grew pending_blank without bound.
++ideo_space=$(env printf '\u3000')
++{ yes "$ideo_space" | head -n 40000 | tr -d '\n'; echo; } |
++  unexpand -t1 >out 2>err; ret=$?
++test "$ret" = 0 || { cat err; fail=1; }
++
 +Exit $fail
 -- 
-2.50.0
+2.54.0
 

diff --git a/coreutils.spec b/coreutils.spec
index ef4619a..5c39f7b 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 9.7
-Release: 8%{?dist}
+Release: 9%{?dist}
 # some used parts of gnulib are under various variants of LGPL
 License: GPL-3.0-or-later AND GFDL-1.3-no-invariants-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later
 Url:     https://www.gnu.org/software/coreutils/
@@ -298,6 +298,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %license COPYING
 
 %changelog
+* Thu Jun 11 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.7-9
+- unexpand: fix heap overflows
+
 * Mon Mar 09 2026 Lukáš Zaoral <lzaoral@redhat.com> - 9.7-8
 - fix unexpand/expand crash on invalid multibyte characters (rhbz#2443041)
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-11 10:53 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-11 10:53 [rpms/coreutils] f43: unexpand: fix heap overflows

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox