fix_buggy_msgunfmt3.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

From: Giovanni Santini <giovannisantini93@yahoo.it>
Just fixed the patch for building against official PKGBUILD.
See below for original patch infos.

From 5d3eeaa0d3b7f4f6932bd29d859925a940b69459 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 11 Mar 2015 07:18:26 +0000
Subject: msgunfmt: Check allocated size for static segment

Reported by Max Lin in:
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
* read-mo.c (get_sysdep_string): Check if the embedded segment
size is valid, before adding it to the string length.
---
diff -ur a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
--- a/gettext-tools/src/ChangeLog	2014-12-24 07:32:59.000000000 +0100
+++ b/gettext-tools/src/ChangeLog	2015-07-15 11:10:47.253402348 +0200
@@ -1,3 +1,11 @@
+2015-03-11  Daiki Ueno  <ueno@gnu.org>
+
+	msgunfmt: Check allocated size for static segment
+	Reported by Max Lin in:
+	http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
+	* read-mo.c (get_sysdep_string): Check if the embedded segment
+	size is valid, before adding it to the string length.
+
 2014-12-24  Daiki Ueno  <ueno@gnu.org>
 
 	* gettext 0.19.4 released.
diff -ur a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
--- a/gettext-tools/src/read-mo.c	2014-12-09 09:43:46.000000000 +0100
+++ b/gettext-tools/src/read-mo.c	2015-07-15 11:15:24.563676393 +0200
@@ -149,6 +149,7 @@
   nls_uint32 s_offset;
 
   /* Compute the length.  */
+  s_offset = get_uint32 (bfp, offset);
   length = 0;
   for (i = 4; ; i += 8)
     {
@@ -158,9 +159,14 @@
       nls_uint32 ss_length;
       nls_uint32 ss_offset;
       size_t ss_end;
+      size_t s_end;
       size_t n;
 
+      s_end = xsum (s_offset, segsize);
+      if (size_overflow_p (s_end) || s_end > bfp->size)
+        error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
       length += segsize;
+      s_offset += segsize;
 
       if (sysdepref == SEGMENTS_END)
         break;
@@ -175,7 +181,7 @@
       ss_end = xsum (ss_offset, ss_length);
       if (size_overflow_p (ss_end) || ss_end > bfp->size)
         error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
-      if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
+      if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0'))
         {
           char location[30];
           sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref);
@@ -198,11 +204,8 @@
       nls_uint32 sysdep_segment_offset;
       nls_uint32 ss_length;
       nls_uint32 ss_offset;
-      size_t s_end = xsum (s_offset, segsize);
       size_t n;
 
-      if (size_overflow_p (s_end) || s_end > bfp->size)
-        error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
       memcpy (p, bfp->data + s_offset, segsize);
       p += segsize;
       s_offset += segsize;