On Mon, Mar 16, 2026 at 09:03:58PM +0800, Zhihan Zheng wrote:
> Hello GNU m4 Maintainer,
>
> I would like to report a potential security issue in m4 1.4.21.
Thank you for the report.
>
> The issue is in frozen-state reload handling in src/freeze.c. The affected
> logic is:
>
> ```c
> if (number[(i)] + 1 > allocated[(i)])
> {
> allocated[(i)] = number[(i)] + 1;
> string[(i)] = xcharalloc ((size_t) allocated[(i)]);
> }
> ```
>
> The parsed length is kept in int. A crafted frozen file can supply a large
> value such as 2147483647, causing number[i] + 1 to overflow and leading to
> abnormal allocation behavior. On my test build this produces a deterministic
> denial of service during m4 -R processing.
Most users don't experiment with m4 -R; autoconf does use frozen
files, but assumes that the frozen file is not malicious. You are
right that hardening this code to do more input validation and reject
invalid frozen files is worth doing; however, it is low enough in
urgency that I am not dropping everything to work on it right away.
>
> Affected area:
> - src/freeze.c:205-217
> - src/freeze.c:245-259
> - src/freeze.c:323-325
>
> If useful, I can provide a minimal PoC and sanitizer output.
>
> If you believe this is a valid security issue, please let me know your
> preferred remediation or coordinated disclosure process. If needed, I can
> also assist with CVE coordination after triage.
You already made it public by posting to the bug-m4 list. There's
nothing that coordinated disclosure will help now.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc.
Virtualization: qemu.org | libguestfs.org
