| Título | radareorg radare2 6.1.6 Integer Overflow |
|---|
| Descripción | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_print_format_hexpairs` in `libr/util/format2.c` can return an attacker-controlled element count that overflows the signed offset accounting in its caller.
The crafted format `b[2147483647]X` advances the current index and then makes the `X` hexpairs field return `INT_MAX`. The immediate caller overflows `i += size` at `libr/util/format2.c:2532:8`. UBSan reports:
```text
runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
The expected behavior is for the format parser to reject oversized repeat counts or use checked arithmetic before updating the signed index.
## Test
PoC:
- [pf2_hexpairs_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/pf2_hexpairs_overflow_harness.c)
- [run_pf2_hexpairs_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/run_pf2_hexpairs_overflow.sh)
- [pf2_hexpairs_overflow.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/inputs/pf2_hexpairs_overflow.r2)
Reproducer:
```sh
ASAN_OPTIONS=detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
./build/binr/radare2/radare2 -q -N \
-e scr.color=0 \
-c "pf2 [2147483647]X" \
-c q \
malloc://16
```
Expected sanitizer result:
```text
libr/util/format2.c:2532:8: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 r_print_format_internal libr/util/format2.c:2532
#1 r_print_format2 libr/util/format2.c:2898
#2 main row-validation-output/case-009/pocs/pf2_hexpairs_overflow_harness.c:9
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/format2.c:2532:8
```
|
|---|
| Fuente | ⚠️ https://github.com/radareorg/radare2/issues/26042 |
|---|
| Usuario | Kery Qi (UID 94424) |
|---|
| Sumisión | 2026-06-06 07:23 (hace 29 días) |
|---|
| Moderación | 2026-07-04 18:19 (28 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 376347 [radareorg radare2 hasta 6.1.6 hexpairs Parser libr/core/cmd_anal.inc.c cmd_anal_opcode desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|