Submit #569966: GNU PSPP pspp-convert master Integer Overflowinfo

TitleGNU PSPP pspp-convert master Integer Overflow
DescriptionSummary pspp-convert does not correctly validate the input to the -l used for password brute-forcing encrypted syntax files. If an extremely large or negative number is provided, it causes an unreasonably large memory allocation attempt, which results in a crash. Environment PSPP version: master in Git Repository[commit:82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb] OS: Ubuntu 20.04.6 LTS Compiler: Clang-12.0.1 Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --prefix=$INSTALL_DIR --without-gui --disable-shared --without-perl-module # make -j64 & make install root@9c4de30a2a30:./pspp-convert -O csv -a A -l -1 POC /dev/null ================================================================= ==2738934==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) #0 0x49f072 in calloc (/new-test/fuzzdir/fuz-pspp-convert/pspp-convert+0x49f072) #1 0x4d22bf in decrypt_file /new-test/build-pspp/pspp-82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb/utilities/pspp-convert.c:456:22 #2 0x4d0d98 in main /new-test/build-pspp/pspp-82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb/utilities/pspp-convert.c:286:11 #3 0x7f8f6fa98d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 ==2738934==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: allocation-size-too-big (/new-test/fuzzdir/fuz-pspp-convert/pspp-convert+0x49f072) in calloc ==2738934==ABORTING POC https://drive.google.com/file/d/12IIt8eR591Z8O1ABOCkT_jdXSWaBxMZx/view?usp=drive_link Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://savannah.gnu.org/bugs/index.php?67069
User
 Anonymous User
Submission05/02/2025 15:17 (12 months ago)
Moderation05/20/2025 15:11 (18 days later)
StatusAccepted
VulDB entry309652 [GNU PSPP 82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb pspp-convert.c calloc -l integer overflow]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!