summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaiki Ueno <ueno@gnu.org>2015-03-11 16:18:26 +0900
committerDaiki Ueno <ueno@gnu.org>2015-03-11 16:18:26 +0900
commit5d3eeaa0d3b7f4f6932bd29d859925a940b69459 (patch)
tree2861eabe261e7bccf554a676222fb249fb07a9fc
parent30ffe68f83eab2c9c4082e008cc4881dd223cc42 (diff)
downloadexternal_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.zip
external_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.tar.gz
external_gettext-5d3eeaa0d3b7f4f6932bd29d859925a940b69459.tar.bz2
msgunfmt: Check allocated size for static segment
Reported by Max Lin in: http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html * read-mo.c (get_sysdep_string): Check if the embedded segment size is valid, before adding it to the string length.
-rw-r--r--gettext-tools/src/ChangeLog8
-rw-r--r--gettext-tools/src/read-mo.c11
2 files changed, 15 insertions, 4 deletions
diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
index d1cc42f..5bf83af 100644
--- a/gettext-tools/src/ChangeLog
+++ b/gettext-tools/src/ChangeLog
@@ -1,3 +1,11 @@
+2015-03-11 Daiki Ueno <ueno@gnu.org>
+
+ msgunfmt: Check allocated size for static segment
+ Reported by Max Lin in:
+ http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
+ * read-mo.c (get_sysdep_string): Check if the embedded segment
+ size is valid, before adding it to the string length.
+
2015-03-06 Daiki Ueno <ueno@gnu.org>
format-kde: Recognize KUIT markup
diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index b97bbad..1c024a8 100644
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -149,6 +149,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
nls_uint32 s_offset;
/* Compute the length. */
+ s_offset = get_uint32 (bfp, offset);
length = 0;
for (i = 4; ; i += 8)
{
@@ -158,9 +159,14 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
nls_uint32 ss_length;
nls_uint32 ss_offset;
size_t ss_end;
+ size_t s_end;
size_t n;
+ s_end = xsum (s_offset, segsize);
+ if (size_overflow_p (s_end) || s_end > bfp->size)
+ error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
length += segsize;
+ s_offset += segsize;
if (sysdepref == SEGMENTS_END)
break;
@@ -175,7 +181,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
ss_end = xsum (ss_offset, ss_length);
if (size_overflow_p (ss_end) || ss_end > bfp->size)
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
- if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
+ if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0'))
{
char location[30];
sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref);
@@ -198,11 +204,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
nls_uint32 sysdep_segment_offset;
nls_uint32 ss_length;
nls_uint32 ss_offset;
- size_t s_end = xsum (s_offset, segsize);
size_t n;
- if (size_overflow_p (s_end) || s_end > bfp->size)
- error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
memcpy (p, bfp->data + s_offset, segsize);
p += segsize;
s_offset += segsize;