Hello, I'm part of a research group at Stanford, working on automatic bug-finding tools. We are currently testing coreutils, and we found a crash bug in ptx due to an unbounded buffer overflow.
Here is a trivial test case that triggers the bug in the current version of coreutils (6.10): $ ptx -F\\ Another example, which overflows more bytes would be: $ ptx -F\\ abcdef (the overflow increases w/ the length of the second argument). The problem is in function copy_unescaped_string(const char *string), which in the presence of backslashes can advance the pointer "string" past the end of the buffer. This in turn causes an unbounded overflow of the buffer malloc-ed at the very beginning of the function, which in turn can be used to corrupt the heap metadata and crash the program. We would appreciate your confirmation of the bug. Cristian Cadar _______________________________________________ Bug-coreutils mailing list Bug-coreutils@gnu.org http://lists.gnu.org/mailman/listinfo/bug-coreutils
