Submit #850382: radareorg radare2 6.1.6 Integer Overflowinfo

Titleradareorg radare2 6.1.6 Integer Overflow
Description> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_print_format_hexpairs` in `libr/util/format2.c` can return an attacker-controlled element count that overflows the signed offset accounting in its caller. The crafted format `b[2147483647]X` advances the current index and then makes the `X` hexpairs field return `INT_MAX`. The immediate caller overflows `i += size` at `libr/util/format2.c:2532:8`. UBSan reports: ```text runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' ``` The expected behavior is for the format parser to reject oversized repeat counts or use checked arithmetic before updating the signed index. ## Test PoC: - [pf2_hexpairs_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/pf2_hexpairs_overflow_harness.c) - [run_pf2_hexpairs_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/run_pf2_hexpairs_overflow.sh) - [pf2_hexpairs_overflow.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/inputs/pf2_hexpairs_overflow.r2) Reproducer: ```sh ASAN_OPTIONS=detect_leaks=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ ./build/binr/radare2/radare2 -q -N \ -e scr.color=0 \ -c "pf2 [2147483647]X" \ -c q \ malloc://16 ``` Expected sanitizer result: ```text libr/util/format2.c:2532:8: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' ``` Stack trace excerpt: ```text #0 r_print_format_internal libr/util/format2.c:2532 #1 r_print_format2 libr/util/format2.c:2898 #2 main row-validation-output/case-009/pocs/pf2_hexpairs_overflow_harness.c:9 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/format2.c:2532:8 ```
Source⚠️ https://github.com/radareorg/radare2/issues/26042
User
 Kery Qi (UID 94424)
Submission06/06/2026 07:23 (29 days ago)
Moderation07/04/2026 18:19 (28 days later)
StatusAccepted
VulDB entry376347 [radareorg radare2 up to 6.1.6 hexpairs Parser libr/core/cmd_anal.inc.c cmd_anal_opcode integer overflow]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!