Zhihan Zheng <[email protected]> writes:
> Hello GNU m4 Maintainer,
>
> I would like to report a potential security issue in m4 1.4.21.
>
> The issue is in the eval parser in src/eval.c. The parser recursively
> calls primary() on nested parentheses and unary operators:
>
> ```c
> case LEFTP:
> er = primary (v1);
> er = parse_expr (v1, er, MIN_PREC);
>
> case PLUS:
> return primary (v1);
> case MINUS:
> er = primary (v1);
> ```
>
> There appears to be no recursion-depth limit on this path. A deeply
> nested expression can therefore exhaust the process stack and crash.
>
> Affected area:
> - src/eval.c:311-372
>
> If useful, I can provide a minimal PoC and reproduction output.
>
> If you believe this is a valid security issue, please let me know your
> preferred remediation or coordinated disclosure process. If needed, I
> can also assist with CVE coordination after triage.
Not a security bug.
m4 exits gracefully instead of placing arbitrary limits on the user.
$ cat main.py
print('eval(`', end='');
for i in range(100000):
print('-(', end='')
print('0', end='')
for i in range(100000):
print(')', end='')
print("')")
$ python3 main.py | m4
m4: stack overflow
Collin
