| Titel | radareorg radare2 6.1.6 Integer Overflow |
|---|
| Beschreibung | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_str_append` in `libr/util/str.c` can overflow signed `int` arithmetic while computing the required appended string size.
A harness linked against the sanitized `libr_util` drives the size calculation to `2147483647 + 1`. UBSan reports signed integer overflow at `libr/util/str.c:870:36`.
The expected behavior is to use checked size arithmetic and reject append operations whose computed size exceeds the supported range.
## Test
PoC:
- [r_str_append_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c)
- [run_r_str_append_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/run_r_str_append_overflow.sh)
Reproducer:
```sh
ROOT="$PWD"
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c
clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \
-I"$ROOT/libr/include" \
-I"$ROOT/build" \
-I"$ROOT/shlr/sdb/include" \
-L"$ROOT/build/libr/util" \
-Wl,-rpath,"$ROOT/build/libr/util" \
-o /tmp/r_str_append_overflow_harness \
r_str_append_overflow_harness.c \
-lr_util
ASAN_OPTIONS=detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
/tmp/r_str_append_overflow_harness
```
Expected sanitizer result:
```text
libr/util/str.c:870:36: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 r_str_append libr/util/str.c:870
#1 main row-validation-output/case-027/pocs/r_str_append_overflow_harness.c:108
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/str.c:870:36
```
|
|---|
| Quelle | ⚠️ https://github.com/radareorg/radare2/issues/26045 |
|---|
| Benutzer | Kery Qi (UID 94424) |
|---|
| Einreichung | 06.06.2026 07:31 (vor 29 Tagen) |
|---|
| Moderieren | 04.07.2026 18:19 (28 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 376350 [radareorg radare2 bis 6.1.6 libr/util/str.c r_str_ndup/r_str_append Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|