Bug#1025940: info: buffer overflow in copy_converting()
Package: info
Version: 7.0.1-1
Some parts of groff.info make info(1) crash:
$ info groff > /dev/null
corrupted size vs. prev_size
Aborted
Valgrind says it's a buffer overflow:
Invalid write of size 1
at 0x48CAD69: internal_utf8_loop (loop.c:335)
by 0x48CAD69: __gconv_transform_internal_utf8 (skeleton.c:619)
by 0x485A467: gconv (skeleton.c:675)
by 0x48C61F7: __gconv (gconv.c:77)
by 0x48C5C5D: iconv (iconv.c:51)
by 0x12CA1F: text_buffer_iconv (util.c:358)
by 0x11C756: copy_converting (scan.c:702)
by 0x11C756: copy_input_to_output.part.0 (scan.c:870)
by 0x11E524: copy_input_to_output (scan.c:1643)
by 0x11E524: scan_node_contents (scan.c:1643)
by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
by 0x121762: dump_node_to_stream (session.c:3818)
by 0x127FEA: dump_nodes_to_file (session.c:3782)
by 0x10CA25: main (info.c:1062)
Address 0x4ca2ff5 is 0 bytes after a block of size 1,269 alloc'd
at 0x484556B: realloc (in /usr/libexec/valgrind/vgpreload_memcheck-x86-linux.so)
by 0x13093F: xrealloc (xmalloc.c:66)
by 0x12C977: text_buffer_alloc (util.c:327)
by 0x12C977: text_buffer_alloc (util.c:320)
by 0x11C710: copy_converting (scan.c:695)
by 0x11C710: copy_input_to_output.part.0 (scan.c:870)
by 0x11E524: copy_input_to_output (scan.c:1643)
by 0x11E524: scan_node_contents (scan.c:1643)
by 0x11BE00: info_node_of_tag_ext (nodes.c:1289)
by 0x121762: dump_node_to_stream (session.c:3818)
by 0x127FEA: dump_nodes_to_file (session.c:3782)
by 0x10CA25: main (info.c:1062)
-- System Information:
Architecture: i386
Versions of packages info depends on:
ii libc6 2.36-6
ii libtinfo6 6.3+20220423-2
ii install-info 6.8-6+b1
--
Jakub Wilk
Reply to: