| Title | radareorg radare2 6.1.6 Integer Overflow |
|---|
| Description | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
The `pb` print command can trigger signed integer overflow in `cmd_print` in `libr/core/cmd_print.inc.c`.
Running `pb 0x10000000` makes the command compute `len * 8` in a signed `int`. UBSan reports the overflow at `libr/core/cmd_print.inc.c:7058:25`:
```text
runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int'
```
The expected behavior is to validate the requested print length before multiplying by 8, or to use checked arithmetic and reject oversized requests.
## Test
PoC:
- [run-pb-int-overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-031/pocs/run-pb-int-overflow.sh)
- [pb-int-overflow.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-031/inputs/pb-int-overflow.r2)
Reproducer:
```sh
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-031/inputs/pb-int-overflow.r2
ASAN_OPTIONS=abort_on_error=0:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
LSAN_OPTIONS=detect_leaks=0 \
./build/binr/radare2/radare2 -q -n -N \
-e scr.color=0 \
-e scr.interactive=false \
-i pb-int-overflow.r2 \
malloc://1
```
Expected sanitizer result:
```text
libr/core/cmd_print.inc.c:7058:25: runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 cmd_print libr/core/cmd_print.inc.c:7058:25
#1 r_core_cmd_subst_i libr/core/cmd.c:5386:8
#2 r_core_cmd_subst libr/core/cmd.c:4096:10
#3 run_cmd_depth libr/core/cmd.c:6366:9
#4 r_core_cmd libr/core/cmd.c:6469:8
#5 r_core_cmd_lines libr/core/cmd.c:6507:8
#6 r_core_cmd_file libr/core/cmd.c:6552:7
#7 r_core_run_script libr/core/cmd.c:1536:13
#8 run_commands libr/main/radare2.c:386:13
#9 r_main_radare2 libr/main/radare2.c:1819:8
#10 main binr/radare2/radare2.c:119:9
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/core/cmd_print.inc.c:7058:25
```
|
|---|
| Source | ⚠️ https://github.com/radareorg/radare2/issues/26048 |
|---|
| User | Kery Qi (UID 94424) |
|---|
| Submission | 06/06/2026 07:32 (30 days ago) |
|---|
| Moderation | 07/05/2026 18:03 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376376 [radareorg radare2 up to 6.1.6 pb Print Command libr/core/cmd_print.inc cmd_print integer overflow] |
|---|
| Points | 20 |
|---|