From 8c9602e3a145e9596dc1a63c6ed67865814b6633 Mon Sep 17 00:00:00 2001 From: Pádraig Brady Date: Tue, 20 May 2025 16:03:44 +0100 Subject: sort: fix buffer under-read (CWE-127) * src/sort.c (begfield): Check pointer adjustment to avoid Out-of-range pointer offset (CWE-823). (limfield): Likewise. * tests/sort/sort-field-limit.sh: Add a new test, which triggers with ASAN or Valgrind. * tests/local.mk: Reference the new test. * NEWS: Mention bug fix introduced in v7.2 (2009). Fixes https://bugs.gnu.org/78507 --- NEWS | 5 +++++ src/sort.c | 12 ++++++++++-- tests/local.mk | 1 + tests/sort/sort-field-limit.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 2 deletions(-) create mode 100755 tests/sort/sort-field-limit.sh The new tests is NOT added in NixOS. diff --git a/NEWS b/NEWS index 6ff403206..923aa72f8 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,11 @@ GNU coreutils NEWS -*- outline -*- copying to non-NFS files from NFSv4 files with trivial ACLs. [bug introduced in coreutils-9.6] + sort with key character offsets of SIZE_MAX, could induce + a read of 1 byte before an allocated heap buffer. For example: + 'sort +0.18446744073709551615R input' on 64 bit systems. + [bug introduced in coreutils-7.2] + * Noteworthy changes in release 9.7 (2025-04-09) [stable] diff --git a/src/sort.c b/src/sort.c index b10183b6f..7af1a2512 100644 --- a/src/sort.c +++ b/src/sort.c @@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key) ++ptr; /* Advance PTR by SCHAR (if possible), but no further than LIM. */ - ptr = MIN (lim, ptr + schar); + size_t remaining_bytes = lim - ptr; + if (schar < remaining_bytes) + ptr += schar; + else + ptr = lim; return ptr; } @@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key) ++ptr; /* Advance PTR by ECHAR (if possible), but no further than LIM. */ - ptr = MIN (lim, ptr + echar); + size_t remaining_bytes = lim - ptr; + if (echar < remaining_bytes) + ptr += echar; + else + ptr = lim; } return ptr;