bug-gettext
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gettext] xgettext segmentation fault javascript

From: Jesper Fehrlund
Subject: Re: [bug-gettext] xgettext segmentation fault javascript
Date: Mon, 27 Oct 2014 16:21:32 +0100
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

On 25/10/14 10:23, Daiki Ueno wrote:
Hello,

Andreas Stricker <address@hidden> writes:


I can reproduce this with Debian testing default xgettext. But it
doesn't look _javascript_ specific. e.g. if I create two identical
files 1.c and 2.c with the content:

int a() { ngettext("bla", 1); }

And call it like this:

xgettext --keyword=ngettext:1,1 -o - 1.c 2.c

*** Error in `xgettext': double free or corruption (fasttop):
0x0000000001428470 ***

I'm not sure if this keyword argument is valid, but at least
it should not die like this.

Thanks for the report and investigation.  It seems to be a long-standing
bug since 0.18, after this change:
http://git.savannah.gnu.org/cgit/gettext.git/commit/?id=6aa7b7ed

I'm not sure if this change is intentional nor what's the best way to
handle this use-case, but here is a patch to recover the original
behavior.
Hi,

(I'm sorry if this does not end up in the correct thread, not quite sure how to get the old mails resent so I had to download and create it manually)

I'm a colleague of Johan and I spent some time looking through the source code trying to figure out what the problem is.
The problem seems to be that if the same argnum is used then msgid and msgid_plural will point to the same address.
Later in remember_a_message, if the msgid has already been encountered it will call free on the msgid, making msgid_plur an invalid pointer which is then passed to free in remember_a_message_plural.

This seems a bit tricky to solve given the current implementation.

You can, however, solve it by making sure the two does not point to the same address to begin with (see attached patch).

An issue with this solution is that there seems to be (at least) one other instance where the pointers could point to the same object, when looking at lines:
3105                 free (best_cp->msgid);
3106                 if (best_cp->msgid_plural == best_cp->msgid)
3107                   best_cp->msgid_plural = msgid;
3108                 best_cp->msgid = msgid;

So it's possible that the same bug would appear here, I'm not sure how to exercise this code path.
A similar solution could probably be applied here.

Regards,
--
Jesper Fehrlund

Attachment: doublefreefix.patch
Description: Text document

reply via email to
[Prev in Thread] Current Thread [Next in Thread]