doc: split -C: test and document a heap overflow

This was introduced in coreutils 9.2 through commit v9.1-184-g40bf1591b,
and was fixed in coreutils 9.5 through commit v9.4-111-gc4c5ed8f4.
This issue has been assigned CVE-2024-0684.

* NEWS: Mention the bug fix.
* tests/split/line-bytes.sh: Add a test case.
Reported by Valentin Metz.

diff --git a/NEWS b/NEWS
index d1be308f707adb2ff00017b493df2842ec9c89d4..dc5d875ddc8e8055fbe4f063b61119a786dfda91 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,10 @@ GNU coreutils NEWS                                    -*- outline -*-
   character platforms with a 0xA0 (aka &nbsp) grouping character.
   [bug introduced in coreutils-9.1]
 
+  split --line-bytes with a mixture of very long and short lines
+  no longer overwrites the heap (CVE-2024-0684).
+  [bug introduced in coreutils-9.2]
+
   tail no longer mishandles input from files in /proc and /sys file systems,
   on systems with a page size larger than the stdio BUFSIZ.
   [This bug was present in "the beginning".]

diff --git a/tests/split/line-bytes.sh b/tests/split/line-bytes.sh
index 6c57ad1a1a7f1615050cd6eaad9f7bde041cb396..a396cd7972d49ab336bd4ddcc145776f6aa15a11 100755 (executable)
--- a/tests/split/line-bytes.sh
+++ b/tests/split/line-bytes.sh
@@ -84,4 +84,16 @@ for b in $(seq 10); do
   compare no_eol_splits_exp no_eol_splits || fail=1
 done
 
+# Test hold buffer management with --lines-bytes.
+# The following triggers (with ASAN) a heap overflow issue
+# between coreutils 9.2 and 9.4 inclusive.
+printf '%131070s\n' '' >expaa || framework_failure_
+printf 'x\n' >expab || framework_failure_
+printf '%131071s\n' '' >expac || framework_failure_
+cat expaa expab expac >bigin || framework_failure_
+split -C 131072 ---io=131072 bigin || fail=1
+compare expaa xaa || fail=1
+compare expab xab || fail=1
+compare expac xac || fail=1
+
 Exit $fail