bug-gettext
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] Gettext 0.19.4 has buggy msgunfmt-3 test?

From: Daiki Ueno
Subject: Re: [bug-gettext] Gettext 0.19.4 has buggy msgunfmt-3 test?
Date: Tue, 10 Mar 2015 09:55:51 +0900
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) 
Max Lin <address@hidden> writes:

> On openSUSE Build Service we see gettext 0.19.4 has the random test
> failure in msgunfmt-3. I've trying to debugging it on my local
> machine, my first suspicion is about memory size, it looks like this
> test requires a certain enough number of virtual memory, otherwise it
> will test fail, for example, if I did 'ulimit -v 40000' on my local
> machine then it fails with test, but it does passed if sets
> unlimited. *But* I can not confirm it was memory related, so any
> debugging way/suggestion? or it is a known issue in 0.19.4 actually?

Thanks for reporting that.  In 0.19.4, we added several integer overflow
checks in msgunfmt based on a report from a fuzzying tool:
http://lists.gnu.org/archive/html/bug-gettext/2014-12/msg00005.html
and it was a leftover.  The attached patch should fix this.

It would be nice if we could detect it reliably in msgunfmt-3 test,
though 'ulimit -v' seems not portable.

Regards,
--
Daiki Ueno

>From a4bf41a3705f1e57e0b7c418f16fec1fd11b5252 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <address@hidden>
Date: Tue, 10 Mar 2015 09:43:41 +0900
Subject: [PATCH] msgunfmt: Check allocated size for static segment

Reported by Max Lin in:
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
* read-mo.c (get_sysdep_string): Check if the embedded segment
size is valid, before adding it to the string length.
---
 gettext-tools/src/ChangeLog | 8 ++++++++
 gettext-tools/src/read-mo.c | 6 ++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
index 754a9dc..423ba5a 100644
--- a/gettext-tools/src/ChangeLog
+++ b/gettext-tools/src/ChangeLog
@@ -1,3 +1,11 @@
+2015-03-10  Daiki Ueno  <address@hidden>
+
+       msgunfmt: Check allocated size for static segment
+       Reported by Max Lin in:
+       http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
+       * read-mo.c (get_sysdep_string): Check if the embedded segment
+       size is valid, before adding it to the string length.
+
 2015-03-02  Daiki Ueno  <address@hidden>
 
        xgettext: Support message syntax checks
diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index b97bbad..aca5a93 100644
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -146,7 +146,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t 
offset,
   char *string;
   size_t i;
   char *p;
-  nls_uint32 s_offset;
+  nls_uint32 s_offset = get_uint32 (bfp, offset);
 
   /* Compute the length.  */
   length = 0;
@@ -158,8 +158,11 @@ get_sysdep_string (const struct binary_mo_file *bfp, 
size_t offset,
       nls_uint32 ss_length;
       nls_uint32 ss_offset;
       size_t ss_end;
+      size_t s_end = xsum (s_offset, segsize);
       size_t n;
 
+      if (size_overflow_p (s_end) || s_end > bfp->size)
+        error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
       length += segsize;
 
       if (sysdepref == SEGMENTS_END)
@@ -190,7 +193,6 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t 
offset,
   /* Allocate and fill the string.  */
   string = XNMALLOC (length, char);
   p = string;
-  s_offset = get_uint32 (bfp, offset);
   for (i = 4; ; i += 8)
     {
       nls_uint32 segsize = get_uint32 (bfp, offset + i);
-- 
2.1.3
reply via email to
[Prev in Thread] Current Thread [Next in Thread]