Hello GNU m4 Maintainer,
I would like to report a potential security issue in m4 1.4.21.
The issue is in frozen-state reload handling in src/freeze.c. The
affected logic is:
```c
if (number[(i)] + 1 > allocated[(i)])
{
allocated[(i)] = number[(i)] + 1;
string[(i)] = xcharalloc ((size_t) allocated[(i)]);
}
```
The parsed length is kept in int. A crafted frozen file can supply a
large value such as 2147483647, causing number[i] + 1 to overflow and
leading to abnormal allocation behavior. On my test build this produces
a deterministic denial of service during m4 -R processing.
Affected area:
- src/freeze.c:205-217
- src/freeze.c:245-259
- src/freeze.c:323-325
If useful, I can provide a minimal PoC and sanitizer output.
If you believe this is a valid security issue, please let me know your
preferred remediation or coordinated disclosure process. If needed, I
can also assist with CVE coordination after triage.
--
Best regards,
Zhihan Zheng
Beijing Institute of Technology
