Enviar #850385: radareorg radare2 6.1.6 Integer Overflowinformación

Títuloradareorg radare2 6.1.6 Integer Overflow
Descripción> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_str_append` in `libr/util/str.c` can overflow signed `int` arithmetic while computing the required appended string size. A harness linked against the sanitized `libr_util` drives the size calculation to `2147483647 + 1`. UBSan reports signed integer overflow at `libr/util/str.c:870:36`. The expected behavior is to use checked size arithmetic and reject append operations whose computed size exceeds the supported range. ## Test PoC: - [r_str_append_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c) - [run_r_str_append_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/run_r_str_append_overflow.sh) Reproducer: ```sh ROOT="$PWD" curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \ -I"$ROOT/libr/include" \ -I"$ROOT/build" \ -I"$ROOT/shlr/sdb/include" \ -L"$ROOT/build/libr/util" \ -Wl,-rpath,"$ROOT/build/libr/util" \ -o /tmp/r_str_append_overflow_harness \ r_str_append_overflow_harness.c \ -lr_util ASAN_OPTIONS=detect_leaks=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ /tmp/r_str_append_overflow_harness ``` Expected sanitizer result: ```text libr/util/str.c:870:36: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' ``` Stack trace excerpt: ```text #0 r_str_append libr/util/str.c:870 #1 main row-validation-output/case-027/pocs/r_str_append_overflow_harness.c:108 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/str.c:870:36 ```
Fuente⚠️ https://github.com/radareorg/radare2/issues/26045
Usuario
 Kery Qi (UID 94424)
Sumisión2026-06-06 07:31 (hace 29 días)
Moderación2026-07-04 18:19 (28 days later)
EstadoAceptado
Entrada de VulDB376350 [radareorg radare2 hasta 6.1.6 libr/util/str.c r_str_ndup/r_str_append desbordamiento de búfer]
Puntos20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!