जमा करें #850381: radareorg radare2 6.1.6 Integer Overflowजानकारी

शीर्षकradareorg radare2 6.1.6 Integer Overflow
विवरण> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description The `aos` command can trigger signed integer overflow in the `core_anal_bytes` path in `libr/core/cmd_anal.inc.c`. The input command `aos 268435456` reaches the immediate caller path and computes `l *= 8` in a signed `int`. UBSan reports the overflow at `libr/core/cmd_anal.inc.c:9857:6`: ```text runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int' ``` The expected behavior is to validate the requested analysis length before multiplying it by 8, or to use checked arithmetic and reject values that exceed the supported range. ## Test PoC: - [run-overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-008/pocs/run-overflow.sh) - [onebyte.bin](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-008/inputs/onebyte.bin) Reproducer: ```sh curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-008/inputs/onebyte.bin ASAN_OPTIONS=abort_on_error=0:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \ UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=0 \ LSAN_OPTIONS=detect_leaks=0 \ ./build/binr/radare2/radare2 -q -N -n \ -e scr.color=false \ -c "aos 268435456" \ -c q \ onebyte.bin ``` Expected sanitizer result: ```text libr/core/cmd_anal.inc.c:9857:6: runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int' ``` Stack trace excerpt: ```text #0 cmd_anal_opcode libr/core/cmd_anal.inc.c:9857:6 #1 cmd_anal libr/core/cmd_anal.inc.c:16135:3 #2 r_core_cmd_subst_i libr/core/cmd.c:5386:8 #3 r_core_cmd_subst libr/core/cmd.c:4096:10 #4 run_cmd_depth libr/core/cmd.c:6366:9 #5 r_core_cmd libr/core/cmd.c:6469:8 #6 r_core_cmd_lines libr/core/cmd.c:6533:3 #7 run_commands libr/main/radare2.c:398:3 #8 r_main_radare2 libr/main/radare2.c:1819:8 #9 main binr/radare2/radare2.c:119:9 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/core/cmd_anal.inc.c:9857:6 ```
स्रोत⚠️ https://github.com/radareorg/radare2/issues/26041
उपयोगकर्ता
 Kery Qi (UID 94424)
सबमिशन06/06/2026 07:22 AM (29 दिन पहले)
संयम04/07/2026 06:19 PM (28 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि376346 [radareorg radare2 तक 6.1.6 libr/core/cmd_anal.inc core_anal_bytes बफ़र ओवरफ़्लो]
अंक20

Interested in the pricing of exploits?

See the underground prices here!