Skip to content

Buffer overflow when HOME is a very long path and -rcfile path is relative #489

Open
Open
Buffer overflow when HOME is a very long path and -rcfile path is relative#489
@benreynwar

Description

@benreynwar
benreynwar
opened on Feb 6, 2026

The is an LLM generated reproducer script, but I've run it myself and confirmed the output.

#!/usr/bin/env bash
# Magic buffer overflow when HOME + relative -rcfile path exceeds ~256 chars.
#
# Magic crashes with "buffer overflow detected" 
# when a relative path is passed to -rcfile and HOME is long enough that
# the combined path exceeds an internal fixed-size buffer (~256 bytes).
#
# This happens in practice when build systems like Bazel set HOME to a
# deeply nested sandbox directory.
#
# Requires: magic (magic-vlsi) in PATH
set +e

LONG_HOME="/tmp/magic_overflow_repro/$(printf 'a%.0s' {1..200})"
RELPATH="sub/$(printf 'b%.0s' {1..50})/rc.magicrc"

mkdir -p "$(dirname "$LONG_HOME/$RELPATH")"
touch "$LONG_HOME/$RELPATH"

echo "HOME length: ${#LONG_HOME}"
echo "Relative rcfile path length: ${#RELPATH}"
echo "Combined (HOME + / + relpath): $((${#LONG_HOME} + 1 + ${#RELPATH})) chars"
echo ""

cd "$LONG_HOME"

echo "=== Short HOME + relative rcfile (works) ==="
HOME="/tmp/magic_short" magic -dnull -noconsole -rcfile "$RELPATH" <<< 'exit 0' 2>&1
echo "Exit code: $?"
echo ""

echo "=== Long HOME + relative rcfile (crashes) ==="
HOME="$LONG_HOME" magic -dnull -noconsole -rcfile "$RELPATH" <<< 'exit 0' 2>&1
echo "Exit code: $?"
echo ""

echo "=== Absolute rcfile (works) ==="
HOME="$LONG_HOME" magic -dnull -noconsole -rcfile "$LONG_HOME/$RELPATH" <<< 'exit 0' 2>&1
echo "Exit code: $?"

gives me the following output

[nix-shell:~/Projects/zamlet_synth/repro/magic_overflow]$ bash reproducer.sh 
HOME length: 226
Relative rcfile path length: 65
Combined (HOME + / + relpath): 292 chars

=== Short HOME + relative rcfile (works) ===

Magic 8.3 revision 489 - Compiled on Thu Jan 15 22:26:38 UTC 2026.
Starting magic under Tcl interpreter
Using the terminal as the console.
Using NULL graphics device.
Processing system .magicrc file
Using technology "minimum", version 0.0
Exit code: 0

=== Long HOME + relative rcfile (crashes) ===

Magic 8.3 revision 489 - Compiled on Thu Jan 15 22:26:38 UTC 2026.
Starting magic under Tcl interpreter
Using the terminal as the console.
Using NULL graphics device.
Processing system .magicrc file
*** buffer overflow detected ***: terminated
reproducer.sh: line 33: 3380550 Aborted                    (core dumped) HOME="$LONG_HOME" magic -dnull -noconsole -rcfile "$RELPATH" <<< 'exit 0' 2>&1
Exit code: 134

=== Absolute rcfile (works) ===

Magic 8.3 revision 489 - Compiled on Thu Jan 15 22:26:38 UTC 2026.
Starting magic under Tcl interpreter
Using the terminal as the console.
Using NULL graphics device.
Processing system .magicrc file
Using technology "minimum", version 0.0
Exit code: 0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions