| 제목 | radareorg radare2 6.1.6 Integer Overflow |
|---|
| 설명 | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_str_append` in `libr/util/str.c` can overflow signed `int` arithmetic while computing the required appended string size.
A harness linked against the sanitized `libr_util` drives the size calculation to `2147483647 + 1`. UBSan reports signed integer overflow at `libr/util/str.c:870:36`.
The expected behavior is to use checked size arithmetic and reject append operations whose computed size exceeds the supported range.
## Test
PoC:
- [r_str_append_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c)
- [run_r_str_append_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/run_r_str_append_overflow.sh)
Reproducer:
```sh
ROOT="$PWD"
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c
clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \
-I"$ROOT/libr/include" \
-I"$ROOT/build" \
-I"$ROOT/shlr/sdb/include" \
-L"$ROOT/build/libr/util" \
-Wl,-rpath,"$ROOT/build/libr/util" \
-o /tmp/r_str_append_overflow_harness \
r_str_append_overflow_harness.c \
-lr_util
ASAN_OPTIONS=detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
/tmp/r_str_append_overflow_harness
```
Expected sanitizer result:
```text
libr/util/str.c:870:36: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 r_str_append libr/util/str.c:870
#1 main row-validation-output/case-027/pocs/r_str_append_overflow_harness.c:108
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/str.c:870:36
```
|
|---|
| 원천 | ⚠️ https://github.com/radareorg/radare2/issues/26045 |
|---|
| 사용자 | Kery Qi (UID 94424) |
|---|
| 제출 | 2026. 06. 06. AM 07:31 (29 날 ago) |
|---|
| 모더레이션 | 2026. 07. 04. PM 06:19 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376350 [radareorg radare2 까지 6.1.6 libr/util/str.c r_str_ndup/r_str_append 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|