[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-gettext] double-free in msgfmt at po-gram-gen.y:230

From: Stefan Sperling
Subject: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230
Date: Sun, 23 Sep 2018 09:18:15 +0200
User-agent: Mutt/1.9.4 (2018-02-28)


This particular version of Subversion's Swedish translation file causes
an error due to a duplicate message ID (expected) but also triggers
a double-free (unexpected):
( Note that the ?p=1841716 part of this URL fetches the broken version.
I have already fixed the file with 'msguniq' in this revision:
https://svn.apache.org/r1841717 )

This double-free was found on OpenBSD 6.3 but is likely platform-independent. 
I suppose it could also be detected by tools such as Valgrind or Address
Sanitizer on Linux.

On OpenBSD, the double-free causes a non-clean exit of msgfmt:

subversion/po/sv.po:13836: duplicate message definition...
subversion/po/sv.po:4723: ...this is the location of the first definition
msgfmt(88949) in free(): chunk is already free 0x5ae722b5e40
*** Signal 6 in target 'subversion/po/sv.mo'
*** Signal SIGABRT in /home/stsp/svn/svn-trunk (Makefile:812 'subversion/po/sv.m

(gdb) bt
#0  thrkill () at -:3
#1  0x000005adeecdf66e in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#2  0x000005adeecf1d59 in wrterror (d=0x5ae43368bb0,
    msg=0x5adeee34b7b "chunk is already free %p")
    at /usr/src/lib/libc/stdlib/malloc.c:291
#3  0x000005adeecf4e6b in find_chunknum (d=0x0, info=<optimized out>, ptr=0x0,
    check=1) at /usr/src/lib/libc/stdlib/malloc.c:1043
#4  0x000005adeecf2393 in ofree (argpool=<optimized out>, p=<optimized out>,
    clear=0, check=0, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1359
#5  0x000005adeecf1e5c in free (ptr=0x5ae722b5e40)
    at /usr/src/lib/libc/stdlib/malloc.c:1419
#6  0x000005add7fd6c43 in po_gram_parse () at po-gram-gen.y:230
#7  0x000005add7fd9bdb in po_parse (this=0x5adae96c700,
    fp=0x5adeef59f90 <usual>,
    real_filename=0x5ae459ec520 "subversion/po/sv.po",
    logical_filename=0x7f7fffff9a93 "subversion/po/sv.po") at read-po.c:41
#8  0x000005add7fd1de8 in catalog_reader_parse (pop=0x5adae96c700,
    fp=0x5adeef59f90 <usual>,
    real_filename=0x5ae459ec520 "subversion/po/sv.po",
    logical_filename=0x7f7fffff9a93 "subversion/po/sv.po",
    input_syntax=0x5add823b2e0 <input_format_po>)
    at read-catalog-abstract.c:179
#9  0x000005aba80034ce in read_catalog_file_msgfmt (
    filename=0x7f7fffff9a93 "subversion/po/sv.po",
    input_syntax=0x5add823b2e0 <input_format_po>) at msgfmt.c:1415
#10 0x000005aba80020c5 in main (argc=5, argv=0x7f7fffff98c8) at msgfmt.c:746

$ msgfmt --version
msgfmt (GNU gettext-tools)
Copyright (C) 1995-1998, 2000-2016 Free Software Foundation, Inc.              
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>  
This is free software: you are free to change and redistribute it.             
There is NO WARRANTY, to the extent permitted by law.                          
Written by Ulrich Drepper.

Please let me know if any additional information is needed to fix this bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]