Gửi #850386: radareorg radare2 6.1.6 Integer Overflowthông tin

tiêu đềradareorg radare2 6.1.6 Integer Overflow
Mô tả> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_str_word_get0set` in `libr/util/str.c` can overflow its signed length calculation and pass an invalid allocation size to `malloc`. The harness calls `r_str_word_get0set` with `stralen == INT_MAX` and a two-byte replacement string. The function computes a wrapped signed `int nlen`, then passes `nlen + 2` to `malloc`. ASan reports an allocation-size-too-big diagnostic with a stack frame at `libr/util/str.c:452`. The expected behavior is to use checked size arithmetic and reject inputs that would overflow the computed replacement buffer length. ## Test PoC: - [r_str_word_get0set_overflow.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-029/pocs/r_str_word_get0set_overflow.c) - [run_poc.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-029/pocs/run_poc.sh) Reproducer: ```sh ROOT="$PWD" curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-029/pocs/r_str_word_get0set_overflow.c clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \ -I"$ROOT/libr/include" \ -I"$ROOT/build" \ -I"$ROOT/shlr/sdb/include" \ -L"$ROOT/build/libr/util" \ -Wl,-rpath,"$ROOT/build/libr/util" \ -o /tmp/r_str_word_get0set_overflow \ r_str_word_get0set_overflow.c \ -lr_util ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ /tmp/r_str_word_get0set_overflow ``` Expected sanitizer result: ```text ERROR: AddressSanitizer: requested allocation size ... exceeds maximum supported size r_str_word_get0set ... libr/util/str.c:452 ``` Stack trace excerpt: ```text ERROR: AddressSanitizer: requested allocation size 0xffffffff80000002 exceeds maximum supported size #0 malloc asan_malloc_linux.cpp:69 #1 r_str_word_get0set libr/util/str.c:452 #2 main row-validation-output/case-029/pocs/r_str_word_get0set_overflow.c:18 SUMMARY: AddressSanitizer: allocation-size-too-big in malloc ```
Nguồn⚠️ https://github.com/radareorg/radare2/issues/26047
Người dùng
 Kery Qi (UID 94424)
Đệ trình06/06/2026 07:32 (cách đây 30 ngày)
Kiểm duyệt05/07/2026 18:03 (29 days later)
Trạng tháiđược chấp nhận
Mục VulDB376375 [radareorg radare2 đến 6.1.6 libr/util/str.c r_str_word_get0set tràn bộ đệm]
điểm20

Do you want to use VulDB in your project?

Use the official API to access entries easily!