[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible
|
From: |
anonymous |
|
Subject: |
[bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext |
|
Date: |
Wed, 04 May 2016 18:15:54 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.29 Safari/537.36 |
URL:
<http://savannah.gnu.org/bugs/?47847>
Summary: Undefined behavior [use-after-free] possible in
libgettext
Project: GNU gettext
Submitted by: None
Submitted on: Wed 04 May 2016 06:15:52 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
A Coverity warning for KDE's "KI18n" framework for internationalization noted
that a piece of code derived from libgettext uses the indeterminate value of a
free()'d pointer in a comparison with a different pointer (but only when
_LIBGETTEXT_HAVE_VARIABLE_SIZE_ARRAYS is not defined).
The bug appears to still be present in the gettext upstream; see
http://git.savannah.gnu.org/cgit/gettext.git/tree/gnulib-local/lib/gettext.h#n236
and
http://git.savannah.gnu.org/cgit/gettext.git/tree/gnulib-local/lib/gettext.h#n282
According to the C standard, any use of the 'indeterminate' value of a
free()'d pointer is UB, no matter how innocuous (see entry 10 from
https://www.securecoding.cert.org/confluence/display/c/CC.+Undefined+Behavior,
which quotes the standard's Annex J.2 directly).
A reasonable fix is to convert the pointers to be compared to uintptr while
both pointers are still valid, and then do the comparisons needed against the
uintptrs. Alternately, one could use a boolean flag to save the result of the
comparison while the pointers are both valid, free the memory if needed, and
then branch based on the comparison result.
Either of these would fix the UB while maintaining the right behavior.
I will fix in KDE but wanted to make sure upstream was warned. Please contact
at address@hidden (or simply the address@hidden mailing list) if
you need to reach out for more information. I have checked the public bug
listing and did not see an existing report, my apologies if this is a dupe.
Regards,
- Michael Pyne
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?47847>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext,
anonymous <=
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/08
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Bruno Haible, 2016/05/09
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Michael Pyne, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Michael Pyne, 2016/05/10
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/10
- Message not available
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/12
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/12