[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230
From: |
Bruno Haible |
Subject: |
Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230 |
Date: |
Mon, 24 Sep 2018 02:14:26 +0200 |
User-agent: |
KMail/5.1.3 (Linux/4.4.0-134-generic; KDE/5.18.0; x86_64; ; ) |
Hi,
Stefan Sperling wrote:
> This particular version of Subversion's Swedish translation file causes
> an error due to a duplicate message ID (expected) but also triggers
> a double-free (unexpected):
> https://svn.apache.org/repos/asf/subversion/trunk/subversion/po/sv.po?p=1841716
> ( Note that the ?p=1841716 part of this URL fetches the broken version.
> I have already fixed the file with 'msguniq' in this revision:
> https://svn.apache.org/r1841717 )
>
> This double-free was found on OpenBSD 6.3 but is likely platform-independent.
>
> On OpenBSD, the double-free causes a non-clean exit of msgfmt:
>
> subversion/po/sv.po:13836: duplicate message definition...
> subversion/po/sv.po:4723: ...this is the location of the first definition
> msgfmt(88949) in free(): chunk is already free 0x5ae722b5e40
> *** Signal 6 in target 'subversion/po/sv.mo'
> *** Signal SIGABRT in /home/stsp/svn/svn-trunk (Makefile:812
> 'subversion/po/sv.m
> o')
>
> (gdb) bt
> #0 thrkill () at -:3
> #1 0x000005adeecdf66e in _libc_abort () at
> /usr/src/lib/libc/stdlib/abort.c:51
> #2 0x000005adeecf1d59 in wrterror (d=0x5ae43368bb0,
> msg=0x5adeee34b7b "chunk is already free %p")
> at /usr/src/lib/libc/stdlib/malloc.c:291
> #3 0x000005adeecf4e6b in find_chunknum (d=0x0, info=<optimized out>, ptr=0x0,
> check=1) at /usr/src/lib/libc/stdlib/malloc.c:1043
> #4 0x000005adeecf2393 in ofree (argpool=<optimized out>, p=<optimized out>,
> clear=0, check=0, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1359
> #5 0x000005adeecf1e5c in free (ptr=0x5ae722b5e40)
> at /usr/src/lib/libc/stdlib/malloc.c:1419
> #6 0x000005add7fd6c43 in po_gram_parse () at po-gram-gen.y:230
> #7 0x000005add7fd9bdb in po_parse (this=0x5adae96c700,
> fp=0x5adeef59f90 <usual>,
> real_filename=0x5ae459ec520 "subversion/po/sv.po",
> logical_filename=0x7f7fffff9a93 "subversion/po/sv.po") at read-po.c:41
> #8 0x000005add7fd1de8 in catalog_reader_parse (pop=0x5adae96c700,
> fp=0x5adeef59f90 <usual>,
> real_filename=0x5ae459ec520 "subversion/po/sv.po",
> logical_filename=0x7f7fffff9a93 "subversion/po/sv.po",
> input_syntax=0x5add823b2e0 <input_format_po>)
> at read-catalog-abstract.c:179
> #9 0x000005aba80034ce in read_catalog_file_msgfmt (
> filename=0x7f7fffff9a93 "subversion/po/sv.po",
> input_syntax=0x5add823b2e0 <input_format_po>) at msgfmt.c:1415
> #10 0x000005aba80020c5 in main (argc=5, argv=0x7f7fffff98c8) at msgfmt.c:746
> (gdb)
>
> $ msgfmt --version
> msgfmt (GNU gettext-tools) 0.19.8.1
> Copyright (C) 1995-1998, 2000-2016 Free Software Foundation, Inc.
>
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>
> This is free software: you are free to change and redistribute it.
>
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Ulrich Drepper.
> I suppose it could also be detected by tools such as Valgrind or Address
> Sanitizer on Linux.
Indeed, on Linux with valgrind I get this stack trace:
Invalid free() / delete / delete[] / realloc()
at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x415FEE: po_gram_parse (po-gram-gen.y:230)
by 0x418384: po_parse (read-po.c:41)
by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
by 0x404622: main (msgfmt.c:746)
Address 0x6722ef0 is 0 bytes inside a block of size 30 free'd
at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x41BD6B: default_add_message (read-catalog.c:378)
by 0x405941: msgfmt_add_message (msgfmt.c:1280)
by 0x41B407: call_add_message (read-catalog.c:64)
by 0x41B9DF: default_directive_message (read-catalog.c:248)
by 0x4125D6: call_directive_message (read-catalog-abstract.c:107)
by 0x412890: po_callback_message (read-catalog-abstract.c:219)
by 0x415549: do_callback_message (po-gram-gen.y:108)
by 0x415FD4: po_gram_parse (po-gram-gen.y:225)
by 0x418384: po_parse (read-po.c:41)
by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
Block was alloc'd at
at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x45FAA3: xmalloc (xmalloc.c:65)
by 0x45FC5E: xstrdup (xstrdup.c:40)
by 0x41ADBF: string_list_append (str-list.c:74)
by 0x416F9E: po_gram_parse (po-gram-gen.y:417)
by 0x418384: po_parse (read-po.c:41)
by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
by 0x404622: main (msgfmt.c:746)
The bug is already fixed in git, through this commit:
https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commitdiff;h=dce3a16e5e9368245735e29bf498dcd5e3e474a4
Thanks for the report!
Bruno