[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible

From: anonymous
Subject: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext
Date: Wed, 04 May 2016 18:15:54 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.29 Safari/537.36


                 Summary: Undefined behavior [use-after-free] possible in
                 Project: GNU gettext
            Submitted by: None
            Submitted on: Wed 04 May 2016 06:15:52 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any



A Coverity warning for KDE's "KI18n" framework for internationalization noted
that a piece of code derived from libgettext uses the indeterminate value of a
free()'d pointer in a comparison with a different pointer (but only when

The bug appears to still be present in the gettext upstream; see

According to the C standard, any use of the 'indeterminate' value of a
free()'d pointer is UB, no matter how innocuous (see entry 10 from
which quotes the standard's Annex J.2 directly).

A reasonable fix is to convert the pointers to be compared to uintptr while
both pointers are still valid, and then do the comparisons needed against the
uintptrs. Alternately, one could use a boolean flag to save the result of the
comparison while the pointers are both valid, free the memory if needed, and
then branch based on the comparison result.

Either of these would fix the UB while maintaining the right behavior.

I will fix in KDE but wanted to make sure upstream was warned. Please contact
at address@hidden (or simply the address@hidden mailing list) if
you need to reach out for more information. I have checked the public bug
listing and did not see an existing report, my apologies if this is a dupe.

 - Michael Pyne


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]