Bug#1125162: groff: stack smash vulnerability in pic

Sat, 10 Jan 2026 03:16:11 -0800 

Good news.

Between glibc malloc's and Debian's hardening flags, this problem
appears to be pre-mitigated, at least as far back as groff 1.22.4-6.

$ /usr/bin/groff --version | head -n 1
GNU groff version 1.22.4
$ dpkg -s groff | sed -n '/\(Package\|Version\)/p'
Package: groff
Version: 1.22.4-6
$ cat /tmp/crasher.groff
.PS
define nop {
}
nop(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,\
    25,26,27,28,29,30,31,,,,,,,,,,,,,,,,,,,,,,,);
.PE
$ ~/groff-1.23.0/bin/groff -p /tmp/crasher.groff
malloc(): corrupted top size
/home/branden/groff-1.23.0/bin/groff: error: pic: Aborted (core dumped)
$ /usr/bin/groff -p /tmp/crasher.groff
malloc(): corrupted top size
/usr/bin/groff: pic: Signal 6 (core dumped)
$ cat /tmp/bigger-crasher.groff
.PS
# Plot a single jumper in a $1 by $2 box, $3 is the on-off state
    define jumper { [
    shrinkfactor = 0.8;
    Outer: box invis wid 0.5 ht 1;

    # Count on end ] to reset these
    boxwid = Outer.wid * shrinkfactor / 2;
    boxht = Outer.ht * shrinkfactor / 2;

    box fill (!$1) with .s at center of Outer;
    box fill ($1) with .n at center of Outer;
] }

# Plot a block of six jumpers
define jumperblock {
    jumper($1);
    jumper($2);
    jumper($3);
    jumper($4);
    jumper($5);
    jumper($6);

    jwidth = last [].Outer.wid;
    jheight = last [].Outer.ht;

    box with .nw at 6th last [].nw wid 6*jwidth ht jheight;

    # Use {} to avoid changing position from last box draw.
    # This is necessary so move in any direction will work as expected
    {"Jumpers in state $1$2$2$3$4$5$6" at last box .s + (0, -0.2);}
}
# Sample macro invocations
jumperblock(1,1,0,0,1,0);
move;
jumperblock(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,\
            23,24,25,26,27,28,29,30,31,,0AAAA,1AAAB,,,,,,7AAAH,,9AAAJA,\
            10AAAK,11AAAL,12AAAM,13AAAN,14AAAO,15AAAP,16AAAQ,17AAAR,\
            18AAAS,19AAAT,20AAAU,21AAAAAAV);
.PE
$ ~/groff-1.23.0/bin/groff -p /tmp/bigger-crasher.groff
*** stack smashing detected ***: terminated
/home/branden/groff-1.23.0/bin/groff: error: pic: Aborted (core dumped)
$ /usr/bin/groff -p /tmp/bigger-crasher.groff
*** stack smashing detected ***: terminated
/usr/bin/groff: pic: Signal 6 (core dumped)

Perhaps these findings put a ceiling on the potential severity of this
bug report.

Regards,
Branden

Attachment: signature.asc
Description: PGP signature

Reply via email to