30598 – strings crashes when told to search for strings of size 0x40000000 and give special treatment to UTF-8 characters

Bug 30598 - strings crashes when told to search for strings of size 0x40000000 and give special treatment to UTF-8 characters

Summary: strings crashes when told to search for strings of size 0x40000000 and give s...

Status:	RESOLVED FIXED

Alias:	None

Product:	binutils
Classification:	Unclassified
Component:	binutils (show other bugs)
Version:	2.41

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-30 10:42 UTC by Gabriel Ravier
Modified:	2023-12-13 18:18 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriel Ravier 2023-06-30 10:42:31 UTC

Version of the utility:
$ ./binutils/strings --version
GNU strings (GNU Binutils) 2.40.50.20230630
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

Patches: None, the source code used is current HEAD (git commit 0d1cd7d97835941c046dbb7ec1c83bc7c05779e6)

Type of machine used, OS and version number:
$ uname -a
Linux fedora 6.3.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 15 02:15:40 UTC 2023 x86_64 GNU/Linux

Compiler used to compile the utilities:
$ gcc --version
gcc (GCC) 13.1.1 20230614 (Red Hat 13.1.1-4)
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Command arguments used to reproduce the bug:
$ ./binutils/strings -U locale -n0x40000000 <(head -c50000000 /dev/zero | tr '\0' a)
Segmentation fault (core dumped)

Behavior I observe that I believe is incorrect:
strings crashes. I believe it should output nothing as there are no strings longer than 1073741824 characters in the provided input file.


See also https://sourceware.org/bugzilla/show_bug.cgi?id=30595, which this derives from: the fix there fixed the initial issue, but the check that tries to make sure `print_unicode_stream` won't allocate a too-large buffer is faulty.

Comment 1 Sourceware Commits 2023-06-30 12:54:42 UTC

The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3713e829be7e0195a78de17282304bebf8746b67

commit 3713e829be7e0195a78de17282304bebf8746b67
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Jun 30 13:54:03 2023 +0100

    strings: Improve code to detect excessively large minimum string lengths.
    
      PR 30598
      * strings.c (set_string_min): New function. (main): Use it. (print_unicode_stream): Calculate buffer size using a size_t.

Comment 2 Nick Clifton 2023-06-30 12:56:32 UTC

Bah humbug.

OK, I have created a more robust patch...

Cheers
  Nick