From eeef7c77436a78cd27047b0f5fa6925d56de3cb0 Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Sun, 10 Aug 2025 00:06:51 +0200 Subject: [PATCH] patch 9.1.1616: xxd: possible buffer overflow with bitwise output Problem: xxd: possible buffer overflow with bitwise output (after v9.1.1459, Xudong Cao) Solution: Update LLEN_NO_COLOR macro definition for the max line output (using bitwise output -b) fixes: #17944 closes: #17947 Signed-off-by: Christian Brabandt --- src/testdir/test_xxd.vim | 21 +++++++++++++++++++++ src/version.c | 2 ++ src/xxd/Makefile | 4 +++- src/xxd/xxd.c | 9 +++------ 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/src/testdir/test_xxd.vim b/src/testdir/test_xxd.vim index 79fc9bf10d..477af7a540 100644 --- a/src/testdir/test_xxd.vim +++ b/src/testdir/test_xxd.vim @@ -680,4 +680,25 @@ func Test_xxd_color2() call delete('XXDfile_colors') unlet! $PS1 endfunc + +" this caused a buffer overflow +func Test_xxd_overflow() + CheckUnix + CheckExecutable /bin/true + new + " we are only checking, that there are addresses in the first 5 lines + let expected = [ + \ '00000000: ', + \ '00000080: ', + \ '00000100: ', + \ '00000180: ', + \ '00000200: '] + exe "0r! " s:xxd_cmd "-b -E -c 128 -g 256 /bin/true 2>&1" + " there should not be an ASAN error message + call getline(1, '$')->join('\n')->assert_notmatch('runtime error') + 6,$d + %s/^\x\+: \zs.*//g + call assert_equal(expected, getline(1, 5)) + bw! +endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 4792ff1bda..947bda8f18 100644 --- a/src/version.c +++ b/src/version.c @@ -719,6 +719,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1616, /**/ 1615, /**/ diff --git a/src/xxd/Makefile b/src/xxd/Makefile index 5937f13746..1a6ca5fb28 100644 --- a/src/xxd/Makefile +++ b/src/xxd/Makefile @@ -1,7 +1,9 @@ # The most simplistic Makefile +# SANITIZER_CFLAGS=-g -O0 -fsanitize-recover=all -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer + xxd: xxd.c - $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DUNIX -o xxd xxd.c $(LIBS) + $(CC) $(SANITIZER_CFLAGS) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DUNIX -o xxd xxd.c $(LIBS) clean: rm -f xxd xxd.o diff --git a/src/xxd/xxd.c b/src/xxd/xxd.c index 3e7c54b423..36a5a88ec9 100644 --- a/src/xxd/xxd.c +++ b/src/xxd/xxd.c @@ -148,7 +148,7 @@ extern void perror __P((char *)); # endif #endif -char version[] = "xxd 2025-06-15 by Juergen Weigert et al."; +char version[] = "xxd 2025-08-08 by Juergen Weigert et al."; #ifdef WIN32 char osver[] = " (Win32)"; #else @@ -228,10 +228,9 @@ char osver[] = ""; #define LLEN_NO_COLOR \ (39 /* addr: ⌈log10(ULONG_MAX)⌉ if "-d" flag given. We assume ULONG_MAX = 2**128 */ \ + 2 /* ": " */ \ - + 2 * COLS /* hex dump */ \ - + (COLS - 1) /* whitespace between groups if "-g1" option given and "-c" maxed out */ \ + + 9 * COLS /* hex dump, worst case: bitwise output using -b */ \ + 2 /* whitespace */ \ - + COLS /* ASCII dump */ \ + + COLS /* ASCII dump */ \ + 2) /* "\n\0" */ char hexxa[] = "0123456789abcdef0123456789ABCDEF", *hexx = hexxa; @@ -1182,9 +1181,7 @@ main(int argc, char *argv[]) c += addrlen + 3 + p; if (color) - { colors[c] = cur_color; - } l[c++] = #if defined(__MVS__) && __CHARSET_LIB == 0 (e >= 64) -- 2.47.2