| tiêu đề | radareorg radare2 6.1.6 Integer Overflow |
|---|
| Mô tả | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_str_word_get0set` in `libr/util/str.c` can overflow its signed length calculation and pass an invalid allocation size to `malloc`.
The harness calls `r_str_word_get0set` with `stralen == INT_MAX` and a two-byte replacement string. The function computes a wrapped signed `int nlen`, then passes `nlen + 2` to `malloc`. ASan reports an allocation-size-too-big diagnostic with a stack frame at `libr/util/str.c:452`.
The expected behavior is to use checked size arithmetic and reject inputs that would overflow the computed replacement buffer length.
## Test
PoC:
- [r_str_word_get0set_overflow.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-029/pocs/r_str_word_get0set_overflow.c)
- [run_poc.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-029/pocs/run_poc.sh)
Reproducer:
```sh
ROOT="$PWD"
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-029/pocs/r_str_word_get0set_overflow.c
clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \
-I"$ROOT/libr/include" \
-I"$ROOT/build" \
-I"$ROOT/shlr/sdb/include" \
-L"$ROOT/build/libr/util" \
-Wl,-rpath,"$ROOT/build/libr/util" \
-o /tmp/r_str_word_get0set_overflow \
r_str_word_get0set_overflow.c \
-lr_util
ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
/tmp/r_str_word_get0set_overflow
```
Expected sanitizer result:
```text
ERROR: AddressSanitizer: requested allocation size ... exceeds maximum supported size
r_str_word_get0set ... libr/util/str.c:452
```
Stack trace excerpt:
```text
ERROR: AddressSanitizer: requested allocation size 0xffffffff80000002 exceeds maximum supported size
#0 malloc asan_malloc_linux.cpp:69
#1 r_str_word_get0set libr/util/str.c:452
#2 main row-validation-output/case-029/pocs/r_str_word_get0set_overflow.c:18
SUMMARY: AddressSanitizer: allocation-size-too-big in malloc
```
|
|---|
| Nguồn | ⚠️ https://github.com/radareorg/radare2/issues/26047 |
|---|
| Người dùng | Kery Qi (UID 94424) |
|---|
| Đệ trình | 06/06/2026 07:32 (cách đây 30 ngày) |
|---|
| Kiểm duyệt | 05/07/2026 18:03 (29 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 376375 [radareorg radare2 đến 6.1.6 libr/util/str.c r_str_word_get0set tràn bộ đệm] |
|---|
| điểm | 20 |
|---|