unexpand: fix stack overflow with large tabsizes

Resolves: RHEL-182506
2026-06-05 15:57:42 +02:00 · 2026-06-05 15:57:42 +02:00 · 1b72513df3
commit 1b72513df3
parent fe0909b540
2 changed files with 35 additions and 29 deletions
--- a/coreutils-i18n-expand-unexpand.patch
+++ b/coreutils-i18n-expand-unexpand.patch
@ -27,8 +27,8 @@ Co-authored-by: Pádraig Brady <pbrady@redhat.com>
 src/unexpand.c       |  57 ++++++----
 tests/expand/mb.sh   |  98 +++++++++++++++++
 tests/local.mk       |   2 +
- tests/unexpand/mb.sh |  99 +++++++++++++++++
- 11 files changed, 541 insertions(+), 37 deletions(-)
+ tests/unexpand/mb.sh | 105 ++++++++++++++++++
+ 11 files changed, 547 insertions(+), 37 deletions(-)
 create mode 100644 lib/mbfile.c
 create mode 100644 lib/mbfile.h
 create mode 100644 m4/mbfile.m4
@ -36,7 +36,7 @@ Co-authored-by: Pádraig Brady <pbrady@redhat.com>
 create mode 100755 tests/unexpand/mb.sh

 diff --git a/bootstrap.conf b/bootstrap.conf
-index 57e8eaf..7d53e28 100644
+index 57e8eaf1c..7d53e284b 100644
 --- a/bootstrap.conf
 +++ b/bootstrap.conf
@@ -155,6 +155,7 @@ gnulib_modules="
@ -48,7 +48,7 @@ index 57e8eaf..7d53e28 100644
   mbrtowc
   mbsalign
 diff --git a/configure.ac b/configure.ac
-index c2ad08c..f5da816 100644
+index c2ad08c39..f5da8163e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -446,6 +446,8 @@ fi
@ -62,7 +62,7 @@ index c2ad08c..f5da816 100644
 if test $gl_cv_sys_tiocgwinsz_needs_termios_h = no && \
 diff --git a/lib/mbfile.c b/lib/mbfile.c
 new file mode 100644
-index 0000000..b0a468e
+index 000000000..b0a468efa
 --- /dev/null
 +++ b/lib/mbfile.c
@@ -0,0 +1,3 @@
@ -71,7 +71,7 @@ index 0000000..b0a468e
 +#include "mbfile.h"
 diff --git a/lib/mbfile.h b/lib/mbfile.h
 new file mode 100644
-index 0000000..11f1b12
+index 000000000..11f1b1242
 --- /dev/null
 +++ b/lib/mbfile.h
@@ -0,0 +1,255 @@
@ -332,7 +332,7 @@ index 0000000..11f1b12
 +#endif /* _MBFILE_H */
 diff --git a/m4/mbfile.m4 b/m4/mbfile.m4
 new file mode 100644
-index 0000000..8589902
+index 000000000..858990213
 --- /dev/null
 +++ b/m4/mbfile.m4
@@ -0,0 +1,14 @@
@ -351,7 +351,7 @@ index 0000000..8589902
 +  :
 +])
 diff --git a/src/expand.c b/src/expand.c
-index 3412d7b..ec91d01 100644
+index 3412d7b09..ec91d01e9 100644
 --- a/src/expand.c
 +++ b/src/expand.c
@@ -37,6 +37,9 @@
@ -460,7 +460,7 @@ index 3412d7b..ec91d01 100644
 }
 
 diff --git a/src/local.mk b/src/local.mk
-index 72db9c7..ef3bfa4 100644
+index 72db9c704..ef3bfa469 100644
 --- a/src/local.mk
 +++ b/src/local.mk
@@ -415,8 +415,8 @@ src_basenc_CPPFLAGS = -DBASE_TYPE=42 $(AM_CPPFLAGS)
@ -475,7 +475,7 @@ index 72db9c7..ef3bfa4 100644
 # Ensure we don't link against libcoreutils.a as that lib is
 # not compiled with -fPIC which causes issues on 64 bit at least
 diff --git a/src/unexpand.c b/src/unexpand.c
-index 09dafdb..e7f4e8a 100644
+index 09dafdbe1..bcb3b11be 100644
 --- a/src/unexpand.c
 +++ b/src/unexpand.c
@@ -38,6 +38,9 @@
@ -507,7 +507,7 @@ index 09dafdb..e7f4e8a 100644
      tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
      allocate MAX_COLUMN_WIDTH bytes to store the blanks.  */
 -  pending_blank = xmalloc (max_column_width);
-+  pending_blank = xmalloc (max_column_width * sizeof (mbf_char_t));
+  pending_blank = xnmalloc (max_column_width, sizeof (mbf_char_t));
 +
 +  mbf_init (mbf, fp);
 
@ -636,7 +636,7 @@ index 09dafdb..e7f4e8a 100644
 
 diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
 new file mode 100755
-index 0000000..dab27b4
+index 000000000..dab27b479
 --- /dev/null
 +++ b/tests/expand/mb.sh
@@ -0,0 +1,98 @@
@ -739,10 +739,10 @@ index 0000000..dab27b4
 +
 +Exit $fail
 diff --git a/tests/local.mk b/tests/local.mk
-index bf6a1c5..94c0f37 100644
+index 9e366ebed..5bf132ae8 100644
 --- a/tests/local.mk
 +++ b/tests/local.mk
-@@ -572,6 +572,7 @@ all_tests =					\
+@@ -573,6 +573,7 @@ all_tests =					\
   tests/du/threshold.sh				\
   tests/du/trailing-slash.sh			\
   tests/du/two-args.sh				\
@ -750,7 +750,7 @@ index bf6a1c5..94c0f37 100644
   tests/id/gnu-zero-uids.sh			\
   tests/id/no-context.sh			\
   tests/id/context.sh				\
-@@ -719,6 +720,7 @@ all_tests =					\
+@@ -720,6 +721,7 @@ all_tests =					\
   tests/touch/read-only.sh			\
   tests/touch/relative.sh			\
   tests/touch/trailing-slash.sh			\
@ -760,10 +760,10 @@ index bf6a1c5..94c0f37 100644
 # See tests/factor/create-test.sh.
 diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
 new file mode 100755
-index 0000000..a7b6ad0
+index 000000000..4b797034f
 --- /dev/null
 +++ b/tests/unexpand/mb.sh
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,105 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2012-2015 Free Software Foundation, Inc.
@ -783,6 +783,7 @@ index 0000000..a7b6ad0
 +
 +. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
 +print_ver_ unexpand
+getlimits_
 +
 +export LC_ALL=en_US.UTF-8
 +
@ -862,7 +863,12 @@ index 0000000..a7b6ad0
 +unexpand -a < in > out || fail=1
 +compare exp out > /dev/null 2>&1 || fail=1
 +
+for mb_mul in 4 6; do
+  printf '   \n' | unexpand -t $(expr $SIZE_MAX / $mb_mul + 1) 2>err; ret=$?
+  test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
+done
+
 +Exit $fail
 -- 
-2.53.0
+2.54.0

--- a/coreutils-i18n-un-expand-BOM.patch
+++ b/coreutils-i18n-un-expand-BOM.patch
@ -13,7 +13,7 @@ Subject: [PATCH] coreutils-i18n-un-expand-BOM.patch
 6 files changed, 341 insertions(+), 2 deletions(-)

 diff --git a/src/expand-common.c b/src/expand-common.c
-index e4209a0..76be4d8 100644
+index e4209a015..76be4d8d5 100644
 --- a/src/expand-common.c
 +++ b/src/expand-common.c
@@ -19,6 +19,7 @@
@ -145,7 +145,7 @@ index e4209a0..76be4d8 100644
    to the list of tab stops.  */
 extern void
 diff --git a/src/expand-common.h b/src/expand-common.h
-index f304fbb..eaa2f15 100644
+index f304fbb2b..eaa2f1505 100644
 --- a/src/expand-common.h
 +++ b/src/expand-common.h
@@ -34,6 +34,18 @@ extern size_t max_column_width;
@ -168,7 +168,7 @@ index f304fbb..eaa2f15 100644
 extern void
 add_tab_stop (uintmax_t tabval);
 diff --git a/src/expand.c b/src/expand.c
-index 8144e43..bf61aff 100644
+index 8144e4344..bf61aff7c 100644
 --- a/src/expand.c
 +++ b/src/expand.c
@@ -103,11 +103,33 @@ expand (void)
@ -235,7 +235,7 @@ index 8144e43..bf61aff 100644
               }
             else
 diff --git a/src/unexpand.c b/src/unexpand.c
-index 7a010e2..da80dac 100644
+index c2d95fd74..6faa94eb7 100644
 --- a/src/unexpand.c
 +++ b/src/unexpand.c
@@ -116,16 +116,36 @@ unexpand (void)
@ -266,7 +266,7 @@ index 7a010e2..da80dac 100644
   /* The worst case is a non-blank character, then one blank, then a
      tab stop, then MAX_COLUMN_WIDTH - 1 blanks, then a non-blank; so
      allocate MAX_COLUMN_WIDTH bytes to store the blanks.  */
-   pending_blank = xmalloc (max_column_width * sizeof (mbf_char_t));
+   pending_blank = xnmalloc (max_column_width, sizeof (mbf_char_t));
 
 -  mbf_init (mbf, fp);
 +  if (found_bom == true)
@ -305,7 +305,7 @@ index 7a010e2..da80dac 100644
               }
             else
 diff --git a/tests/expand/mb.sh b/tests/expand/mb.sh
-index 3a5eb95..6d6497a 100755
+index 3a5eb95c2..6d6497a3d 100755
 --- a/tests/expand/mb.sh
 +++ b/tests/expand/mb.sh
@@ -109,4 +109,75 @@ env printf '12345678
@ -385,12 +385,12 @@ index 3a5eb95..6d6497a 100755
 +
 Exit $fail
 diff --git a/tests/unexpand/mb.sh b/tests/unexpand/mb.sh
-index 92962f6..f64542e 100755
+index 0ff44c508..17a149d1c 100755
 --- a/tests/unexpand/mb.sh
 +++ b/tests/unexpand/mb.sh
-@@ -112,4 +112,62 @@ env printf '12345678
- unexpand -a < in > out || fail=1
- compare exp out > /dev/null 2>&1 || fail=1
+@@ -118,4 +118,62 @@ for mb_mul in 4 6; do
+   test "$ret" = 1 || test "$ret" = 0 || { cat err; fail=1; }
+ done
 
 +#BOM header test 1
 +printf "\xEF\xBB\xBF" > in; cat <<\EOF >> in || framework_failure_
@ -452,5 +452,5 @@ index 92962f6..f64542e 100755
 +
 Exit $fail
 -- 
-2.53.0
+2.54.0