[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gettext] Bug#876498: gettext: msgunfmt: heap corruption
From: |
Daiki Ueno |
Subject: |
Re: [bug-gettext] Bug#876498: gettext: msgunfmt: heap corruption |
Date: |
Sat, 23 Sep 2017 18:22:33 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux) |
Jakub Wilk <address@hidden> writes:
> Package: gettext
> Version: 0.19.8.1-4
>
> msgunfmt crashes on the attached file:
>
> $ zcat bad.mo.gz | msgunfmt
> *** Error in `msgunfmt': corrupted size vs. prev_size: 0x57b0abf0 ***
> ...
> Aborted
>
> Unhelpful backtrace:
Running msgunfmt under valgrind might give you more hints. Anyway, I am
suspecting this is caused by a missing NUL termination in
get_sysdep_string in read-mo.c, which should be fixed by the attached patch.
Regards,
--
Daiki Ueno
>From 3c66e050e344ec890f0c1e467753c2ed46bc7bb8 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <address@hidden>
Date: Sat, 23 Sep 2017 18:09:33 +0200
Subject: [PATCH] msgunfmt: Avoid heap buffer overrun
* gettext-tools/src/read-mo.c (get_sysdep_string): NUL-terminate the result.
* gettext-tools/tests/msgunfmt-3: Check no-nul-sysdep.mo.
* gettext-tools/tests/no-nul-sysdep.mo: New test data.
Reported by Jakub Wilk in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876498
---
gettext-tools/src/read-mo.c | 3 ++-
gettext-tools/tests/msgunfmt-3 | 4 ++--
gettext-tools/tests/no-nul-sysdep.mo | Bin 0 -> 2805 bytes
3 files changed, 4 insertions(+), 3 deletions(-)
create mode 100644 gettext-tools/tests/no-nul-sysdep.mo
diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index 9ddd6b2d2..33d7a5828 100644
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -194,7 +194,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t
offset,
}
/* Allocate and fill the string. */
- string = XNMALLOC (length, char);
+ string = XNMALLOC (length + 1, char);
+ string[length] = '\0';
p = string;
s_offset = get_uint32 (bfp, offset);
for (i = 4; ; i += 8)
diff --git a/gettext-tools/tests/msgunfmt-3 b/gettext-tools/tests/msgunfmt-3
index 42dc1cc55..3d06d1c52 100755
--- a/gettext-tools/tests/msgunfmt-3
+++ b/gettext-tools/tests/msgunfmt-3
@@ -5,8 +5,8 @@
: ${MSGUNFMT=msgunfmt}
-for n in 1 2 3 4 5 6; do
- LANGUAGE= LC_ALL=C ${MSGUNFMT} "$abs_srcdir"/overflow-$n.mo 2>mu-3.err
>/dev/null
+for f in "$abs_srcdir"/overflow-*.mo "$abs_srcdir"/no-nul-sysdep.mo; do
+ LANGUAGE= LC_ALL=C ${MSGUNFMT} $f 2>mu-3.err >/dev/null
test $? != 0 || Exit 1
grep ' is truncated' mu-3.err >/dev/null || Exit 1
done
diff --git a/gettext-tools/tests/no-nul-sysdep.mo
b/gettext-tools/tests/no-nul-sysdep.mo
new file mode 100644
index
0000000000000000000000000000000000000000..6bcaa510535cc77b4b1bd48ecad9741bd4549021
GIT binary patch
literal 2805
zcmca7#4^>ufB_5);D7<nf-o2iT!1P(fEYyr%JTt=CxGODm<fpg0|8teNSp&address@hidden
k7!85Z5Eu=C(GVC7fzc2c4S_)(0;address@hidden<LI3~&
literal 0
HcmV?d00001
--
2.13.5
- Re: [bug-gettext] Bug#876498: gettext: msgunfmt: heap corruption,
Daiki Ueno <=