| 标题 | radareorg radare2 6.1.6 Integer Overflow |
|---|
| 描述 | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_print_format_hexpairs` in `libr/util/format2.c` can return an attacker-controlled element count that overflows the signed offset accounting in its caller.
The crafted format `b[2147483647]X` advances the current index and then makes the `X` hexpairs field return `INT_MAX`. The immediate caller overflows `i += size` at `libr/util/format2.c:2532:8`. UBSan reports:
```text
runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
The expected behavior is for the format parser to reject oversized repeat counts or use checked arithmetic before updating the signed index.
## Test
PoC:
- [pf2_hexpairs_overflow_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/pf2_hexpairs_overflow_harness.c)
- [run_pf2_hexpairs_overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/pocs/run_pf2_hexpairs_overflow.sh)
- [pf2_hexpairs_overflow.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-009/inputs/pf2_hexpairs_overflow.r2)
Reproducer:
```sh
ASAN_OPTIONS=detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
./build/binr/radare2/radare2 -q -N \
-e scr.color=0 \
-c "pf2 [2147483647]X" \
-c q \
malloc://16
```
Expected sanitizer result:
```text
libr/util/format2.c:2532:8: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 r_print_format_internal libr/util/format2.c:2532
#1 r_print_format2 libr/util/format2.c:2898
#2 main row-validation-output/case-009/pocs/pf2_hexpairs_overflow_harness.c:9
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/util/format2.c:2532:8
```
|
|---|
| 来源 | ⚠️ https://github.com/radareorg/radare2/issues/26042 |
|---|
| 用户 | Kery Qi (UID 94424) |
|---|
| 提交 | 2026-06-06 07時23分 (29 日前) |
|---|
| 管理 | 2026-07-04 18時19分 (28 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 376347 [radareorg radare2 直到 6.1.6 hexpairs Parser libr/core/cmd_anal.inc.c cmd_anal_opcode 内存损坏] |
|---|
| 积分 | 20 |
|---|