| Title | radareorg radare2 6.1.6 Integer Overflow |
|---|
| Description | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_str_append` in `libr/util/str.c` can overflow signed `int` arithmetic while computing the required appended string size.
A harness linked against the sanitized `libr_util` drives the size calculation to `2147483647 + 1`. UBSan reports signed integer overflow at `libr/util/str.c:870:36`.
The expected behavior is to use checked size arithmetic and reject append operations whose computed size exceeds the supported range.
## Test
PoC:
- [r_str_append_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c)
- [run_r_str_append_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-027/pocs/run_r_str_append_overflow.sh)
Reproducer:
```sh
ROOT="$PWD"
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-027/pocs/r_str_append_overflow_harness.c
clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \
-I"$ROOT/libr/include" \
-I"$ROOT/build" \
-I"$ROOT/shlr/sdb/include" \
-L"$ROOT/build/libr/util" \
-Wl,-rpath,"$ROOT/build/libr/util" \
-o /tmp/r_str_append_overflow_harness \
r_str_append_overflow_harness.c \
-lr_util
ASAN_OPTIONS=detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
/tmp/r_str_append_overflow_harness
```
Expected sanitizer result:
```text
libr/util/str.c:870:36: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 r_str_append libr/util/str.c:870
#1 main row-validation-output/case-027/pocs/r_str_append_overflow_harness.c:108
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/str.c:870:36
```
|
|---|
| Source | ⚠️ https://github.com/radareorg/radare2/issues/26045 |
|---|
| User | Kery Qi (UID 94424) |
|---|
| Submission | 06/06/2026 07:31 (29 days ago) |
|---|
| Moderation | 07/04/2026 18:19 (28 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376350 [radareorg radare2 up to 6.1.6 libr/util/str.c r_str_ndup/r_str_append integer overflow] |
|---|
| Points | 20 |
|---|