Enviar #850387: radareorg radare2 6.1.6 Integer Overflowinformación

Títuloradareorg radare2 6.1.6 Integer Overflow
Descripción> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description The `pb` print command can trigger signed integer overflow in `cmd_print` in `libr/core/cmd_print.inc.c`. Running `pb 0x10000000` makes the command compute `len * 8` in a signed `int`. UBSan reports the overflow at `libr/core/cmd_print.inc.c:7058:25`: ```text runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int' ``` The expected behavior is to validate the requested print length before multiplying by 8, or to use checked arithmetic and reject oversized requests. ## Test PoC: - [run-pb-int-overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-031/pocs/run-pb-int-overflow.sh) - [pb-int-overflow.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-031/inputs/pb-int-overflow.r2) Reproducer: ```sh curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-031/inputs/pb-int-overflow.r2 ASAN_OPTIONS=abort_on_error=0:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ LSAN_OPTIONS=detect_leaks=0 \ ./build/binr/radare2/radare2 -q -n -N \ -e scr.color=0 \ -e scr.interactive=false \ -i pb-int-overflow.r2 \ malloc://1 ``` Expected sanitizer result: ```text libr/core/cmd_print.inc.c:7058:25: runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int' ``` Stack trace excerpt: ```text #0 cmd_print libr/core/cmd_print.inc.c:7058:25 #1 r_core_cmd_subst_i libr/core/cmd.c:5386:8 #2 r_core_cmd_subst libr/core/cmd.c:4096:10 #3 run_cmd_depth libr/core/cmd.c:6366:9 #4 r_core_cmd libr/core/cmd.c:6469:8 #5 r_core_cmd_lines libr/core/cmd.c:6507:8 #6 r_core_cmd_file libr/core/cmd.c:6552:7 #7 r_core_run_script libr/core/cmd.c:1536:13 #8 run_commands libr/main/radare2.c:386:13 #9 r_main_radare2 libr/main/radare2.c:1819:8 #10 main binr/radare2/radare2.c:119:9 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/core/cmd_print.inc.c:7058:25 ```
Fuente⚠️ https://github.com/radareorg/radare2/issues/26048
Usuario
 Kery Qi (UID 94424)
Sumisión2026-06-06 07:32 (hace 30 días)
Moderación2026-07-05 18:03 (29 days later)
EstadoAceptado
Entrada de VulDB376376 [radareorg radare2 hasta 6.1.6 pb Print Command libr/core/cmd_print.inc cmd_print desbordamiento de búfer]
Puntos20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!