bug-gettext
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Segmentation fault in dcigettext.c:925 using Apache + PHP


From: Wiebe Cazemier
Subject: Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
Date: Mon, 22 Jun 2020 22:38:24 +0200 (CEST)

----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Bruno Haible" <bruno@clisp.org>
> Cc: bug-gettext@gnu.org
> Sent: Tuesday, 16 June, 2020 17:41:10
> Subject: Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
>
> I'd like to revisit this. The dcigettext.c from glibc-2.27, Ubuntu 18.04, 
> around
> line 925 (marked) is:
> 
> 
> /* Compare msgid with the original string at index nstr.
>    We compare the lengths with >=, not ==, because plural entries
>    are represented by strings with an embedded NUL.  */
> if (nstr < nstrings
>    ? W (domain->must_swap, domain->orig_tab[nstr].length) >= len
>    && (strcmp (msgid,
>                domain->data + W (domain->must_swap,
>                                    domain->orig_tab[nstr].offset))
>        == 0)
>    : domain->orig_sysdep_tab[nstr - nstrings].length > len
>    && (strcmp (msgid, // <- Line 925
>                domain->orig_sysdep_tab[nstr - nstrings].pointer)
>        == 0))
> {
>    act = nstr;
>    goto found;
> }
> 
> 
> 
> gdb can't access nstr, probably because it's only stored in a register. 
> However:
> 
> (gdb) print domain->orig_sysdep_tab
> $5 = (const struct sysdep_string_desc *) 0x0
> 
> I would have expected it to crash on the line above it (because it also
> references 'domain->orig_sysdep_tab'), but because gdb says 'len' is optimized
> out, perhaps line 924 isn't executed.
> 
> I can't quit figure out how to trip that swapping code. Perhaps then I could
> reproduce it. But, it seems to me it shouldn't call this with
> 'domain->orig_sysdep_tab' being 0/NULL?
> 
> Regards,
> 
> Wiebe

I think I can reproduce it, sort of. When I let my small C program from earlier 
loop forever, outputting several translation, and I generate a new mo file with 
msgfmt, two things can happen:

1) it loses translations, even if I only remove one of the entries.
2) SIGBUS. This happens especially when the new .mo file is much shorter.

Apparently you can get SIGBUS when you're accessing outside of a mmap on a 
file? The original fault was a SIGSEGV, but the rest of the crash is similar. 
dcigettext.c line 907 this time:

  nls_uint32 nstr = W(domain->must_swap_hash_tab, domain->hash_tab[idx]);

I'm unsure at this point whether the client application should deal with this 
better or not, but I thought I'd post it.

Regards,

Wiebe



reply via email to

[Prev in Thread] Current Thread [Next in Thread]