1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
From: Giovanni Santini <giovannisantini93@yahoo.it>
Just fixed the patch for building against official PKGBUILD.
See below for original patch infos.
From 5d3eeaa0d3b7f4f6932bd29d859925a940b69459 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 11 Mar 2015 07:18:26 +0000
Subject: msgunfmt: Check allocated size for static segment
Reported by Max Lin in:
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
* read-mo.c (get_sysdep_string): Check if the embedded segment
size is valid, before adding it to the string length.
---
diff -ur a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
--- a/gettext-tools/src/ChangeLog 2014-12-24 07:32:59.000000000 +0100
+++ b/gettext-tools/src/ChangeLog 2015-07-15 11:10:47.253402348 +0200
@@ -1,3 +1,11 @@
+2015-03-11 Daiki Ueno <ueno@gnu.org>
+
+ msgunfmt: Check allocated size for static segment
+ Reported by Max Lin in:
+ http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
+ * read-mo.c (get_sysdep_string): Check if the embedded segment
+ size is valid, before adding it to the string length.
+
2014-12-24 Daiki Ueno <ueno@gnu.org>
* gettext 0.19.4 released.
diff -ur a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
--- a/gettext-tools/src/read-mo.c 2014-12-09 09:43:46.000000000 +0100
+++ b/gettext-tools/src/read-mo.c 2015-07-15 11:15:24.563676393 +0200
@@ -149,6 +149,7 @@
nls_uint32 s_offset;
/* Compute the length. */
+ s_offset = get_uint32 (bfp, offset);
length = 0;
for (i = 4; ; i += 8)
{
@@ -158,9 +159,14 @@
nls_uint32 ss_length;
nls_uint32 ss_offset;
size_t ss_end;
+ size_t s_end;
size_t n;
+ s_end = xsum (s_offset, segsize);
+ if (size_overflow_p (s_end) || s_end > bfp->size)
+ error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
length += segsize;
+ s_offset += segsize;
if (sysdepref == SEGMENTS_END)
break;
@@ -175,7 +181,7 @@
ss_end = xsum (ss_offset, ss_length);
if (size_overflow_p (ss_end) || ss_end > bfp->size)
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
- if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
+ if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0'))
{
char location[30];
sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref);
@@ -198,11 +204,8 @@
nls_uint32 sysdep_segment_offset;
nls_uint32 ss_length;
nls_uint32 ss_offset;
- size_t s_end = xsum (s_offset, segsize);
size_t n;
- if (size_overflow_p (s_end) || s_end > bfp->size)
- error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
memcpy (p, bfp->data + s_offset, segsize);
p += segsize;
s_offset += segsize;
|