Hello GNU m4 Maintainer,
I would like to report a potential security issue in m4 1.4.21.
The issue is in substr handling in src/builtin.c. The code checks:
```c
if (start + length > avail)
length = avail - start;
obstack_grow (obs, ARG (1) + start, length);
```
Because start, length, and avail are stored as int, start + length can
overflow. With crafted input, this can bypass the intended bounds logic
and lead to an out-of-bounds read followed by a crash.
Affected area:
- src/builtin.c:1822-1847
If useful, I can provide a minimal PoC and sanitizer output.
If you believe this is a valid security issue, please let me know your
preferred remediation or coordinated disclosure process. If needed, I
can also assist with CVE coordination after triage.
--
Best regards,
Zhihan Zheng
Beijing Institute of Technology
