Is there an existing issue for this?
Midnight Commander version and build configuration
4.8.33 (commit f03e97f25, and likely all prior versions)
Operating system
Is this issue reproducible using the latest version of Midnight Commander?
How to reproduce
Write a listing_format entry to panels.ini — requires write access to
~/.config/mc/panels.ini (same privilege level as MC itself). This can be achieved
via social engineering (malicious archive extraction) or by another vulnerability
that writes files to the user's config directory.
- Victim opens the listing format editor — presses Alt+t in MC. The dialog
pre-populates with the crafted items. The overflow occurs immediately when the user
presses OK, even if they do not modify any selections.
Expected behavior
No crash
Actual behavior
the heap corruption manifests as a crash on any subsequent heap operation, typically within the same dialog handler or shortly after.
Additional context
A heap buffer overflow vulnerability exists in the listing mode format editor
(listmode_edit() / collect_new_format()) when a user opens the listing format
dialog (Alt+t) with a crafted listing_format value in panels.ini.
The function collect_new_format() (listmode.c:297) allocates a fixed 1024-byte heap
buffer and then concatenates all selected format items into it using repeated strcat()
calls — with no bounds check against the allocated size. If the total length of the
concatenated format items exceeds 1024 bytes, strcat writes past the end of the heap
allocation, corrupting heap metadata and adjacent memory.
Is there an existing issue for this?
Midnight Commander version and build configuration
Operating system
Is this issue reproducible using the latest version of Midnight Commander?
How to reproduce
Write a
listing_formatentry topanels.ini— requires write access to~/.config/mc/panels.ini(same privilege level as MC itself). This can be achievedvia social engineering (malicious archive extraction) or by another vulnerability
that writes files to the user's config directory.
pre-populates with the crafted items. The overflow occurs immediately when the user
presses OK, even if they do not modify any selections.
Expected behavior
No crash
Actual behavior
the heap corruption manifests as a crash on any subsequent heap operation, typically within the same dialog handler or shortly after.
Additional context
A heap buffer overflow vulnerability exists in the listing mode format editor
(
listmode_edit()/collect_new_format()) when a user opens the listing formatdialog (Alt+t) with a crafted
listing_formatvalue inpanels.ini.The function
collect_new_format()(listmode.c:297) allocates a fixed 1024-byte heapbuffer and then concatenates all selected format items into it using repeated
strcat()calls — with no bounds check against the allocated size. If the total length of the
concatenated format items exceeds 1024 bytes,
strcatwrites past the end of the heapallocation, corrupting heap metadata and adjacent memory.