[bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext

Wed, 04 May 2016 11:17:49 -0700 

URL:
  <http://savannah.gnu.org/bugs/?47847>

                 Summary: Undefined behavior [use-after-free] possible in
libgettext
                 Project: GNU gettext
            Submitted by: None
            Submitted on: Wed 04 May 2016 06:15:52 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

A Coverity warning for KDE's "KI18n" framework for internationalization noted
that a piece of code derived from libgettext uses the indeterminate value of a
free()'d pointer in a comparison with a different pointer (but only when
_LIBGETTEXT_HAVE_VARIABLE_SIZE_ARRAYS is not defined).

The bug appears to still be present in the gettext upstream; see
http://git.savannah.gnu.org/cgit/gettext.git/tree/gnulib-local/lib/gettext.h#n236
and
http://git.savannah.gnu.org/cgit/gettext.git/tree/gnulib-local/lib/gettext.h#n282

According to the C standard, any use of the 'indeterminate' value of a
free()'d pointer is UB, no matter how innocuous (see entry 10 from
https://www.securecoding.cert.org/confluence/display/c/CC.+Undefined+Behavior,
which quotes the standard's Annex J.2 directly).

A reasonable fix is to convert the pointers to be compared to uintptr while
both pointers are still valid, and then do the comparisons needed against the
uintptrs. Alternately, one could use a boolean flag to save the result of the
comparison while the pointers are both valid, free the memory if needed, and
then branch based on the comparison result.

Either of these would fix the UB while maintaining the right behavior.

I will fix in KDE but wanted to make sure upstream was warned. Please contact
at mp...@kde.org (or simply the kde-frameworks-de...@kde.org mailing list) if
you need to reach out for more information. I have checked the public bug
listing and did not see an existing report, my apologies if this is a dupe.

Regards,
 - Michael Pyne




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?47847>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Reply via email to