diff options
author | Daiki Ueno <ueno@gnu.org> | 2015-03-11 16:18:26 +0900 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2015-03-11 16:18:26 +0900 |
commit | 5d3eeaa0d3b7f4f6932bd29d859925a940b69459 (patch) | |
tree | 2861eabe261e7bccf554a676222fb249fb07a9fc | |
parent | 30ffe68f83eab2c9c4082e008cc4881dd223cc42 (diff) | |
download | external_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.zip external_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.tar.gz external_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.tar.bz2 |
msgunfmt: Check allocated size for static segment
Reported by Max Lin in:
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
* read-mo.c (get_sysdep_string): Check if the embedded segment
size is valid, before adding it to the string length.
-rw-r--r-- | gettext-tools/src/ChangeLog | 8 | ||||
-rw-r--r-- | gettext-tools/src/read-mo.c | 11 |
2 files changed, 15 insertions, 4 deletions
diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog index d1cc42f..5bf83af 100644 --- a/gettext-tools/src/ChangeLog +++ b/gettext-tools/src/ChangeLog @@ -1,3 +1,11 @@ +2015-03-11 Daiki Ueno <ueno@gnu.org> + + msgunfmt: Check allocated size for static segment + Reported by Max Lin in: + http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html + * read-mo.c (get_sysdep_string): Check if the embedded segment + size is valid, before adding it to the string length. + 2015-03-06 Daiki Ueno <ueno@gnu.org> format-kde: Recognize KUIT markup diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c index b97bbad..1c024a8 100644 --- a/gettext-tools/src/read-mo.c +++ b/gettext-tools/src/read-mo.c @@ -149,6 +149,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset, nls_uint32 s_offset; /* Compute the length. */ + s_offset = get_uint32 (bfp, offset); length = 0; for (i = 4; ; i += 8) { @@ -158,9 +159,14 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset, nls_uint32 ss_length; nls_uint32 ss_offset; size_t ss_end; + size_t s_end; size_t n; + s_end = xsum (s_offset, segsize); + if (size_overflow_p (s_end) || s_end > bfp->size) + error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename); length += segsize; + s_offset += segsize; if (sysdepref == SEGMENTS_END) break; @@ -175,7 +181,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset, ss_end = xsum (ss_offset, ss_length); if (size_overflow_p (ss_end) || ss_end > bfp->size) error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename); - if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0')) + if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0')) { char location[30]; sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref); @@ -198,11 +204,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset, nls_uint32 sysdep_segment_offset; nls_uint32 ss_length; nls_uint32 ss_offset; - size_t s_end = xsum (s_offset, segsize); size_t n; - if (size_overflow_p (s_end) || s_end > bfp->size) - error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename); memcpy (p, bfp->data + s_offset, segsize); p += segsize; s_offset += segsize; |