59 lines
2.3 KiB
Diff
59 lines
2.3 KiB
Diff
From <http://git.savannah.gnu.org/cgit/gettext.git/patch/?id=5d3eeaa0d3b7f4f6932bd29d859925a940b69459>.
|
|
|
|
2015-03-11 Daiki Ueno <ueno@gnu.org>
|
|
|
|
msgunfmt: Check allocated size for static segment
|
|
Reported by Max Lin in:
|
|
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
|
|
* read-mo.c (get_sysdep_string): Check if the embedded segment
|
|
size is valid, before adding it to the string length.
|
|
|
|
diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
|
|
index b97bbad..1c024a8 100644
|
|
--- a/gettext-tools/src/read-mo.c
|
|
+++ b/gettext-tools/src/read-mo.c
|
|
@@ -149,6 +149,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
|
|
nls_uint32 s_offset;
|
|
|
|
/* Compute the length. */
|
|
+ s_offset = get_uint32 (bfp, offset);
|
|
length = 0;
|
|
for (i = 4; ; i += 8)
|
|
{
|
|
@@ -158,9 +159,14 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
|
|
nls_uint32 ss_length;
|
|
nls_uint32 ss_offset;
|
|
size_t ss_end;
|
|
+ size_t s_end;
|
|
size_t n;
|
|
|
|
+ s_end = xsum (s_offset, segsize);
|
|
+ if (size_overflow_p (s_end) || s_end > bfp->size)
|
|
+ error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
|
|
length += segsize;
|
|
+ s_offset += segsize;
|
|
|
|
if (sysdepref == SEGMENTS_END)
|
|
break;
|
|
@@ -175,7 +181,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
|
|
ss_end = xsum (ss_offset, ss_length);
|
|
if (size_overflow_p (ss_end) || ss_end > bfp->size)
|
|
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
|
|
- if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
|
|
+ if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0'))
|
|
{
|
|
char location[30];
|
|
sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref);
|
|
@@ -198,11 +204,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
|
|
nls_uint32 sysdep_segment_offset;
|
|
nls_uint32 ss_length;
|
|
nls_uint32 ss_offset;
|
|
- size_t s_end = xsum (s_offset, segsize);
|
|
size_t n;
|
|
|
|
- if (size_overflow_p (s_end) || s_end > bfp->size)
|
|
- error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
|
|
memcpy (p, bfp->data + s_offset, segsize);
|
|
p += segsize;
|
|
s_offset += segsize;
|