On 15/10/17 18:04, Jaeseung Choi wrote: > Dear GNU team, > > While testing coreutils for a research purpose, we found the following > segfault in 'b2sum'. Running b2sum with --check option, and simply > providing a string "BLAKE2" with no trailing character raises the > crash as below.
Wow thanks! Were you fuzzing the inputs? Can you give more details on your testing? The attached should fix this case. thanks! Pádraig
>From 94719b21bb80e51a90d51917583a57d1180918c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <p...@draigbrady.com> Date: Mon, 16 Oct 2017 01:04:37 -0700 Subject: [PATCH] b2sum: fix crash with --check and truncated input * src/md5sum.c (split_3): Ensure we don't walk off the end of the string. * tests/misc/b2sum.sh: Add test cases. Fixes https://bugs.gnu.org/28860 --- src/md5sum.c | 3 ++- tests/misc/b2sum.sh | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/md5sum.c b/src/md5sum.c index a7e2a9e..c800231 100644 --- a/src/md5sum.c +++ b/src/md5sum.c @@ -430,7 +430,8 @@ split_3 (char *s, size_t s_len, #if HASH_ALGO_BLAKE2 /* Terminate and match algorithm name. */ char const *algo_name = &s[i - algo_name_len]; - while (! ISWHITE (s[i]) && s[i] != '-' && s[i] != '(') + /* Skip algorithm variants. */ + while (s[i] && ! ISWHITE (s[i]) && s[i] != '-' && s[i] != '(') ++i; bool length_specified = s[i] == '-'; bool openssl_format = s[i] == '('; /* and no length_specified */ diff --git a/tests/misc/b2sum.sh b/tests/misc/b2sum.sh index d16427c..28fd95b 100755 --- a/tests/misc/b2sum.sh +++ b/tests/misc/b2sum.sh @@ -46,4 +46,9 @@ b2sum -l 128 check.vals > out || fail=1 printf '%s\n' '796485dd32fe9b754ea5fd6c721271d9 check.vals' > exp compare exp out || fail=1 +# This would segfault from coreutils-8.26 to coreutils-8.28 +printf '%s\n' 'BLAKE2' 'BLAKE2b' 'BLAKE2-' 'BLAKE2(' 'BLAKE2 (' > crash.check \ + || framework_failure_ +returns_ 1 b2sum -c crash.check || fail=1 + Exit $fail -- 2.9.3
