sort: fix buffer under-read (CWE-127)

* src/sort.c (begfield): Check pointer adjustment
to avoid Out-of-range pointer offset (CWE-823).
(limfield): Likewise.
* tests/sort/sort-field-limit.sh: Add a new test,
which triggers with ASAN or Valgrind.
* tests/local.mk: Reference the new test.
* NEWS: Mention bug fix introduced in v7.2 (2009).
Fixes https://bugs.gnu.org/78507

diff --git a/NEWS b/NEWS
index 6ff40320640905be03ca1122f8e657fdb4607218..923aa72f88d04973a90a5f871161e077c2a6d3d0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,11 @@ GNU coreutils NEWS                                    -*- outline -*-
   copying to non-NFS files from NFSv4 files with trivial ACLs.
   [bug introduced in coreutils-9.6]
 
+  sort with key character offsets of SIZE_MAX, could induce
+  a read of 1 byte before an allocated heap buffer. For example:
+  'sort +0.18446744073709551615R input' on 64 bit systems.
+  [bug introduced in coreutils-7.2]
+
 
 * Noteworthy changes in release 9.7 (2025-04-09) [stable]
 

diff --git a/src/sort.c b/src/sort.c
index b10183b6f669bd68d7ad3ceee1409e7f3ea994c2..7af1a25121c14dabc13458f3c168f71471ddd338 100644 (file)
--- a/src/sort.c
+++ b/src/sort.c
@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
       ++ptr;
 
   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
-  ptr = MIN (lim, ptr + schar);
+  size_t remaining_bytes = lim - ptr;
+  if (schar < remaining_bytes)
+    ptr += schar;
+  else
+    ptr = lim;
 
   return ptr;
 }
@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
           ++ptr;
 
       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
-      ptr = MIN (lim, ptr + echar);
+      size_t remaining_bytes = lim - ptr;
+      if (echar < remaining_bytes)
+        ptr += echar;
+      else
+        ptr = lim;
     }
 
   return ptr;

diff --git a/tests/local.mk b/tests/local.mk
index 4da6756ac632e06d376f643346373701c192058e..642d225fa7b9d616f128829bc1ae432efb62897d 100644 (file)
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -388,6 +388,7 @@ all_tests =                                 \
   tests/sort/sort-debug-keys.sh                        \
   tests/sort/sort-debug-warn.sh                        \
   tests/sort/sort-discrim.sh                   \
+  tests/sort/sort-field-limit.sh               \
   tests/sort/sort-files0-from.pl               \
   tests/sort/sort-float.sh                     \
   tests/sort/sort-h-thousands-sep.sh           \

diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
new file mode 100755 (executable)
index 0000000..52d8e1d
--- /dev/null
+++ b/tests/sort/sort-field-limit.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+# From 7.2-9.7, this would trigger an out of bounds mem read
+
+# Copyright (C) 2025 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ sort
+getlimits_
+
+# This issue triggers with valgrind or ASAN
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
+  VALGRIND='valgrind --error-exitcode=1'
+
+{ printf '%s\n' aa bb; } > in || framework_failure_
+
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+Exit $fail