Re: [bug-gettext] xgettext segmentation fault javascript

[Daiki Ueno]

Jesper Fehrlund <address@hidden> writes:

> I'm a colleague of Johan and I spent some time looking through the
> source code trying to figure out what the problem is.
> The problem seems to be that if the sameargnum is used then msgid and
> msgid_plural will point to the same address.
> Later in remember_a_message, if the msgid has already been encountered
> it will call free on the msgid, making msgid_plur an invalid pointer
> which is then passed to free in remember_a_message_plural.

Thanks for looking into it.

> This seems a bit tricky to solve given the current implementation.
>
> You can, however, solve it by making sure the two does not point to
> the same address to begin with (see attached patch).

Do all the tests pass after the change?  I think throughout the code
xgettext.c assumes that cp->msgid and cp->msgid_plural point to the same
address when they are the same string.  Perhaps all the address
comparisons need to be replaced with strcmp.  I don't oppose to do so;
that could make the code less hairy, though that might sacrifice
performance a bit.

> An issue with this solution is that there seems to be (at least) one
> other instance where the pointers could point to the same object, when
> looking at lines:
> 3105                 free (best_cp->msgid);
> 3106                 if (best_cp->msgid_plural == best_cp->msgid)
> 3107                   best_cp->msgid_plural = msgid;
> 3108                 best_cp->msgid = msgid;
>
> So it's possible that the same bug would appear here, I'm not sure how
> to exercise this code path.
> A similar solution could probably be applied here.

This part should be unrelated.  It is there to preserve the condition:

  best_cp->msgid_plural == best_cp->msgid

after the code conversion in earlier lines.

Regards,
--
Daiki Ueno