hexdump hang when reading format file with --format-file

[CarlosAndresRamirez]

Details
Malcrafted format files can cause the hexdump tool to hang when passed to the -f or --format-file parameters. The issue occurs inside the while (TRUE) loop in function get() in hexdump-display.c

Known affected versions
hexdump from util-linux 2.39.3 to 2.40-rc1-126-7ca98

gdb backtrack Output
(gdb) bt
#0 0x00007ffff7e7da5d in __GI___libc_read (fd=0, buf=0x7ffff3ec9010, nbytes=62087168) at ../sysdeps/unix/sysv/linux/read.c:26
#1 0x00007ffff7e05e10 in __GI__IO_file_xsgetn (fp=0x7ffff7f59aa0 <IO_2_1_stdin>, data=, n=62087168) at ./libio/libioP.h:946
#2 0x00007ffff7dfa4bb in __GI__IO_fread (buf=0x7ffff3ec9010, size=size@entry=1, count=62087168, fp=0x7ffff7f59aa0 <IO_2_1_stdin>)
at ./libio/iofread.c:38
#3 0x00005555555582c7 in get (hex=0x5555555632a0) at text-utils/hexdump-display.c:369
#4 display (hex=hex@entry=0x5555555632a0) at text-utils/hexdump-display.c:252
#5 0x0000555555557657 in main (argc=, argv=0x7fffffffdb40) at text-utils/hexdump.c:229

PoC
See attached file hang-01.txt

Credits
These findings come from a research effort on software quality and security based on a Human Error-Driven Framework for software defect prediction.

--
Carlos Andres Ramirez
Researcher

[karelzak]

From the gdb backtrack, it seems hexdump is waiting for data. Can you share the command line used for the reproducer?

Anyway, I'm able to reproduce something that looks like a hang-up, but it's because the format unit used for output contains a huge number of repeats for each input byte. The man page describes the counters as integers, so I'm not sure if I want to restrict it to smaller numbers. For this use case, the behavior is technically correct.