Jakub Wilk <jw...@jwilk.net> writes: > Package: gettext > Version: 0.19.8.1-4 > > msgunfmt crashes on the attached file: > > $ zcat bad.mo.gz | msgunfmt > *** Error in `msgunfmt': corrupted size vs. prev_size: 0x57b0abf0 *** > ... > Aborted > > Unhelpful backtrace:
Running msgunfmt under valgrind might give you more hints. Anyway, I am suspecting this is caused by a missing NUL termination in get_sysdep_string in read-mo.c, which should be fixed by the attached patch. Regards, -- Daiki Ueno
>From 3c66e050e344ec890f0c1e467753c2ed46bc7bb8 Mon Sep 17 00:00:00 2001 From: Daiki Ueno <u...@gnu.org> Date: Sat, 23 Sep 2017 18:09:33 +0200 Subject: [PATCH] msgunfmt: Avoid heap buffer overrun * gettext-tools/src/read-mo.c (get_sysdep_string): NUL-terminate the result. * gettext-tools/tests/msgunfmt-3: Check no-nul-sysdep.mo. * gettext-tools/tests/no-nul-sysdep.mo: New test data. Reported by Jakub Wilk in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876498 --- gettext-tools/src/read-mo.c | 3 ++- gettext-tools/tests/msgunfmt-3 | 4 ++-- gettext-tools/tests/no-nul-sysdep.mo | Bin 0 -> 2805 bytes 3 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 gettext-tools/tests/no-nul-sysdep.mo diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c index 9ddd6b2d2..33d7a5828 100644 --- a/gettext-tools/src/read-mo.c +++ b/gettext-tools/src/read-mo.c @@ -194,7 +194,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset, } /* Allocate and fill the string. */ - string = XNMALLOC (length, char); + string = XNMALLOC (length + 1, char); + string[length] = '\0'; p = string; s_offset = get_uint32 (bfp, offset); for (i = 4; ; i += 8) diff --git a/gettext-tools/tests/msgunfmt-3 b/gettext-tools/tests/msgunfmt-3 index 42dc1cc55..3d06d1c52 100755 --- a/gettext-tools/tests/msgunfmt-3 +++ b/gettext-tools/tests/msgunfmt-3 @@ -5,8 +5,8 @@ : ${MSGUNFMT=msgunfmt} -for n in 1 2 3 4 5 6; do - LANGUAGE= LC_ALL=C ${MSGUNFMT} "$abs_srcdir"/overflow-$n.mo 2>mu-3.err >/dev/null +for f in "$abs_srcdir"/overflow-*.mo "$abs_srcdir"/no-nul-sysdep.mo; do + LANGUAGE= LC_ALL=C ${MSGUNFMT} $f 2>mu-3.err >/dev/null test $? != 0 || Exit 1 grep ' is truncated' mu-3.err >/dev/null || Exit 1 done diff --git a/gettext-tools/tests/no-nul-sysdep.mo b/gettext-tools/tests/no-nul-sysdep.mo new file mode 100644 index 0000000000000000000000000000000000000000..6bcaa510535cc77b4b1bd48ecad9741bd4549021 GIT binary patch literal 2805 zcmca7#4^>ufB_5);D7<nf-o2iT!1P(fEYyr%JTt=CxGODm<fpg0|8teNSp&r3@$m! k7!85Z5Eu=C(GVC7fzc2c4S_)(0;sK@LGIX5=iv+i0ObD<LI3~& literal 0 HcmV?d00001 -- 2.13.5
