bug-gettext
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] Bug#876498: gettext: msgunfmt: heap corruption

From: Jakub Wilk
Subject: Re: [bug-gettext] Bug#876498: gettext: msgunfmt: heap corruption
Date: Sat, 23 Sep 2017 19:43:16 +0200
User-agent: NeoMutt/20170609 (1.8.3) 
* Daiki Ueno <address@hidden>, 2017-09-23, 18:22:

Running msgunfmt under valgrind might give you more hints.
Curiously, it no longer crashes under valgrind, but a bunch of out-of-bounds reads are reported: 

  Invalid read of size 1
     at 0x4831097: index (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x10AD42: read_mo_file (read-mo.c:374)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2722 is 0 bytes after a block of size 2 alloc'd
     at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x48CD289: xmalloc (xmalloc.c:65)
     by 0x10A713: get_sysdep_string.isra.1 (read-mo.c:197)
     by 0x10AD36: read_mo_file (read-mo.c:372)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)

  Invalid read of size 1
     at 0x48313E3: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x10AD9D: read_mo_file (read-mo.c:392)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2722 is 0 bytes after a block of size 2 ...

  Invalid read of size 1
     at 0x487388E: format_parse_entrails (format-c-parse.h:199)
     by 0x487388E: format_parse (format-c.c:68)
     by 0x10AE3F: read_mo_file (read-mo.c:414)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2722 is 0 bytes after a block of size 2 ...

  Invalid read of size 1
     at 0x48313E3: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x10AE1E: read_mo_file (read-mo.c:411)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2722 is 0 bytes after a block of size 2 ...

  Invalid read of size 1
     at 0x487388E: format_parse_entrails (format-c-parse.h:199)
     by 0x487388E: format_parse (format-c.c:68)
     by 0x10AF03: read_mo_file (read-mo.c:432)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2f88 is 0 bytes after a block of size 2,096 alloc'd
     at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x48CD289: xmalloc (xmalloc.c:65)
     by 0x10A713: get_sysdep_string.isra.1 (read-mo.c:197)
     by 0x10AD89: read_mo_file (read-mo.c:388)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)

  Invalid read of size 1
     at 0x48313E3: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x10AEE6: read_mo_file (read-mo.c:429)
     by 0x109B59: read_one_file (msgunfmt.c:555)
     by 0x109B59: main (msgunfmt.c:401)
   Address 0x6fa2f88 is 0 bytes after a block of size 2,096 alloc'd ...
I am suspecting this is caused by a missing NUL termination in get_sysdep_string in read-mo.c, which should be fixed by the attached patch. 

Thanks. The patch fixes the crash and all valgrind warnings.

--
Jakub Wilk
reply via email to
[Prev in Thread] Current Thread [Next in Thread]