[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
|
From: |
Wiebe Cazemier |
|
Subject: |
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP |
|
Date: |
Tue, 16 Jun 2020 17:41:10 +0200 (CEST) |
----- Original Message -----
> From: "Wiebe Cazemier" <wiebe@halfgaar.net>
> To: "Bruno Haible" <bruno@clisp.org>
> Cc: bug-gettext@gnu.org
> Sent: Sunday, 7 June, 2020 11:55:41
> Subject: Re: Segmentation fault in dcigettext.c:925 using Apache + PHP
>
>>
>> The file you sent is a valid .mo file; in fact, it was (or could have been)
>> generated by GNU msgfmt.
>>
>> The relevant code in glibc-2.27/intl/dcigettext.c is most likely correct;
>> no algorithmic bug is known in this code for more than 8 years.
>>
>> The remaining likely possibility is that the application you are running has
>> memory bugs (writes into arbitrary locations). I would recommend that you
>> run this application under valgrind.
>>
>> Bruno
I'd like to revisit this. The dcigettext.c from glibc-2.27, Ubuntu 18.04,
around line 925 (marked) is:
/* Compare msgid with the original string at index nstr.
We compare the lengths with >=, not ==, because plural entries
are represented by strings with an embedded NUL. */
if (nstr < nstrings
? W (domain->must_swap, domain->orig_tab[nstr].length) >= len
&& (strcmp (msgid,
domain->data + W (domain->must_swap,
domain->orig_tab[nstr].offset))
== 0)
: domain->orig_sysdep_tab[nstr - nstrings].length > len
&& (strcmp (msgid, // <- Line 925
domain->orig_sysdep_tab[nstr - nstrings].pointer)
== 0))
{
act = nstr;
goto found;
}
gdb can't access nstr, probably because it's only stored in a register. However:
(gdb) print domain->orig_sysdep_tab
$5 = (const struct sysdep_string_desc *) 0x0
I would have expected it to crash on the line above it (because it also
references 'domain->orig_sysdep_tab'), but because gdb says 'len' is optimized
out, perhaps line 924 isn't executed.
I can't quit figure out how to trip that swapping code. Perhaps then I could
reproduce it. But, it seems to me it shouldn't call this with
'domain->orig_sysdep_tab' being 0/NULL?
Regards,
Wiebe
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Bruno Haible, 2020/06/06
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/07
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Bruno Haible, 2020/06/07
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP,
Wiebe Cazemier <=
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/22
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Bruno Haible, 2020/06/24
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/25
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Bruno Haible, 2020/06/25
- Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/25
Re: Segmentation fault in dcigettext.c:925 using Apache + PHP, Wiebe Cazemier, 2020/06/09