提出 #850385: radareorg radare2 6.1.6 Integer Overflow情報

タイトルradareorg radare2 6.1.6 Integer Overflow
説明> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_str_append` in `libr/util/str.c` can overflow signed `int` arithmetic while computing the required appended string size. A harness linked against the sanitized `libr_util` drives the size calculation to `2147483647 + 1`. UBSan reports signed integer overflow at `libr/util/str.c:870:36`. The expected behavior is to use checked size arithmetic and reject append operations whose computed size exceeds the supported range. ## Test PoC: - [r_str_append_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c) - [run_r_str_append_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/run_r_str_append_overflow.sh) Reproducer: ```sh ROOT="$PWD" curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \ -I"$ROOT/libr/include" \ -I"$ROOT/build" \ -I"$ROOT/shlr/sdb/include" \ -L"$ROOT/build/libr/util" \ -Wl,-rpath,"$ROOT/build/libr/util" \ -o /tmp/r_str_append_overflow_harness \ r_str_append_overflow_harness.c \ -lr_util ASAN_OPTIONS=detect_leaks=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ /tmp/r_str_append_overflow_harness ``` Expected sanitizer result: ```text libr/util/str.c:870:36: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' ``` Stack trace excerpt: ```text #0 r_str_append libr/util/str.c:870 #1 main row-validation-output/case-027/pocs/r_str_append_overflow_harness.c:108 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/str.c:870:36 ```
ソース⚠️ https://github.com/radareorg/radare2/issues/26045
ユーザー
 Kery Qi (UID 94424)
送信2026年06月06日 07:31 (29 日 ago)
モデレーション2026年07月04日 18:19 (28 days later)
ステータス承諾済み
VulDBエントリ376350 [radareorg radare2 迄 6.1.6 libr/util/str.c r_str_ndup/r_str_append メモリ破損]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!