Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230

bug-gettext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230

From:	Bruno Haible
Subject:	Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230
Date:	Mon, 24 Sep 2018 02:14:26 +0200
User-agent:	KMail/5.1.3 (Linux/4.4.0-134-generic; KDE/5.18.0; x86_64; ; )

Hi,

Stefan Sperling wrote:
> This particular version of Subversion's Swedish translation file causes
> an error due to a duplicate message ID (expected) but also triggers
> a double-free (unexpected):
> https://svn.apache.org/repos/asf/subversion/trunk/subversion/po/sv.po?p=1841716
> ( Note that the ?p=1841716 part of this URL fetches the broken version.
> I have already fixed the file with 'msguniq' in this revision:
> https://svn.apache.org/r1841717 )
> 
> This double-free was found on OpenBSD 6.3 but is likely platform-independent. 
> 
> On OpenBSD, the double-free causes a non-clean exit of msgfmt:
> 
> subversion/po/sv.po:13836: duplicate message definition...
> subversion/po/sv.po:4723: ...this is the location of the first definition
> msgfmt(88949) in free(): chunk is already free 0x5ae722b5e40
> *** Signal 6 in target 'subversion/po/sv.mo'
> *** Signal SIGABRT in /home/stsp/svn/svn-trunk (Makefile:812 
> 'subversion/po/sv.m
> o')
> 
> (gdb) bt
> #0  thrkill () at -:3
> #1  0x000005adeecdf66e in _libc_abort () at 
> /usr/src/lib/libc/stdlib/abort.c:51
> #2  0x000005adeecf1d59 in wrterror (d=0x5ae43368bb0,
>     msg=0x5adeee34b7b "chunk is already free %p")
>     at /usr/src/lib/libc/stdlib/malloc.c:291
> #3  0x000005adeecf4e6b in find_chunknum (d=0x0, info=<optimized out>, ptr=0x0,
>     check=1) at /usr/src/lib/libc/stdlib/malloc.c:1043
> #4  0x000005adeecf2393 in ofree (argpool=<optimized out>, p=<optimized out>,
>     clear=0, check=0, argsz=0) at /usr/src/lib/libc/stdlib/malloc.c:1359
> #5  0x000005adeecf1e5c in free (ptr=0x5ae722b5e40)
>     at /usr/src/lib/libc/stdlib/malloc.c:1419
> #6  0x000005add7fd6c43 in po_gram_parse () at po-gram-gen.y:230
> #7  0x000005add7fd9bdb in po_parse (this=0x5adae96c700,
>     fp=0x5adeef59f90 <usual>,
>     real_filename=0x5ae459ec520 "subversion/po/sv.po",
>     logical_filename=0x7f7fffff9a93 "subversion/po/sv.po") at read-po.c:41
> #8  0x000005add7fd1de8 in catalog_reader_parse (pop=0x5adae96c700,
>     fp=0x5adeef59f90 <usual>,
>     real_filename=0x5ae459ec520 "subversion/po/sv.po",
>     logical_filename=0x7f7fffff9a93 "subversion/po/sv.po",
>     input_syntax=0x5add823b2e0 <input_format_po>)
>     at read-catalog-abstract.c:179
> #9  0x000005aba80034ce in read_catalog_file_msgfmt (
>     filename=0x7f7fffff9a93 "subversion/po/sv.po",
>     input_syntax=0x5add823b2e0 <input_format_po>) at msgfmt.c:1415
> #10 0x000005aba80020c5 in main (argc=5, argv=0x7f7fffff98c8) at msgfmt.c:746
> (gdb)
> 
> $ msgfmt --version
> msgfmt (GNU gettext-tools) 0.19.8.1
> Copyright (C) 1995-1998, 2000-2016 Free Software Foundation, Inc.             
>  
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> 
>  
> This is free software: you are free to change and redistribute it.            
>  
> There is NO WARRANTY, to the extent permitted by law.                         
>  
> Written by Ulrich Drepper.

> I suppose it could also be detected by tools such as Valgrind or Address
> Sanitizer on Linux.

Indeed, on Linux with valgrind I get this stack trace:

Invalid free() / delete / delete[] / realloc()
   at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x415FEE: po_gram_parse (po-gram-gen.y:230)
   by 0x418384: po_parse (read-po.c:41)
   by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
   by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
   by 0x404622: main (msgfmt.c:746)
 Address 0x6722ef0 is 0 bytes inside a block of size 30 free'd
   at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x41BD6B: default_add_message (read-catalog.c:378)
   by 0x405941: msgfmt_add_message (msgfmt.c:1280)
   by 0x41B407: call_add_message (read-catalog.c:64)
   by 0x41B9DF: default_directive_message (read-catalog.c:248)
   by 0x4125D6: call_directive_message (read-catalog-abstract.c:107)
   by 0x412890: po_callback_message (read-catalog-abstract.c:219)
   by 0x415549: do_callback_message (po-gram-gen.y:108)
   by 0x415FD4: po_gram_parse (po-gram-gen.y:225)
   by 0x418384: po_parse (read-po.c:41)
   by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
   by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
 Block was alloc'd at
   at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x45FAA3: xmalloc (xmalloc.c:65)
   by 0x45FC5E: xstrdup (xstrdup.c:40)
   by 0x41ADBF: string_list_append (str-list.c:74)
   by 0x416F9E: po_gram_parse (po-gram-gen.y:417)
   by 0x418384: po_parse (read-po.c:41)
   by 0x412774: catalog_reader_parse (read-catalog-abstract.c:179)
   by 0x405C7B: read_catalog_file_msgfmt (msgfmt.c:1415)
   by 0x404622: main (msgfmt.c:746)

The bug is already fixed in git, through this commit:
https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commitdiff;h=dce3a16e5e9368245735e29bf498dcd5e3e474a4

Thanks for the report!

Bruno

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-gettext] double-free in msgfmt at po-gram-gen.y:230, Stefan Sperling, 2018/09/23
- Re: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230, Bruno Haible <=

Prev by Date: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230
Next by Date: [bug-gettext] Remove dependency on libgcc_s_sjlj-1.dll for 32bit Windows builds of libintl-8.dll
Previous by thread: [bug-gettext] double-free in msgfmt at po-gram-gen.y:230
Next by thread: [bug-gettext] Remove dependency on libgcc_s_sjlj-1.dll for 32bit Windows builds of libintl-8.dll
Index(es):
- Date
- Thread