Tim Rühsen wrote:
Just reading this CVE [1] from a week ago, makes me want to
disable all large allocations on the stack.
Yes please. Any chance to remove it from gettext.h ?
#if _LIBGETTEXT_HAVE_VARIABLE_SIZE_ARRAYS
char msg_ctxt_id[msgctxt_len + msgid_len];
#else
It's already removed from gettext.h if you define GNULIB_NO_VLAS.
Typical applications never give dcpgettext_expr arguments so long that its VLA
will crush the stack. For these applications enabling VLAs can be a minor
performance win, so I'm not inclined to define GNULIB_NO_VLA for the apps I help
maintain.
Ironically, though, one of the few applications that needs to support
really-long message-IDs is the 'gettext' program itself. This might be an
argument for disabling use of VLAs in libgettext, even though most applications
work just fine with VLAs. If we do that, GNULIB_NO_VLA will have no effect
since lib/gettext.h is the only source file where Gnulib creates VLAs.
