msgunfmt: Check allocated size for static segment

Reported by Max Lin in:
http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
* read-mo.c (get_sysdep_string): Check if the embedded segment
size is valid, before adding it to the string length.

diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
index d1cc42f18201b2fd9e2057d7109b9139495ad22c..5bf83afdd25ffc3865150da10ad346db94dec891 100644 (file)
--- a/gettext-tools/src/ChangeLog
+++ b/gettext-tools/src/ChangeLog
@@ -1,3 +1,11 @@
+2015-03-11  Daiki Ueno  <ueno@gnu.org>
+
+       msgunfmt: Check allocated size for static segment
+       Reported by Max Lin in:
+       http://lists.gnu.org/archive/html/bug-gettext/2015-03/msg00005.html
+       * read-mo.c (get_sysdep_string): Check if the embedded segment
+       size is valid, before adding it to the string length.
+
 2015-03-06  Daiki Ueno  <ueno@gnu.org>
 
        format-kde: Recognize KUIT markup

diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index b97bbadc32a8197aa821af01d989fadfc72400ae..1c024a8fe918012e65d0a63e74cf8e0a95d36d66 100644 (file)
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -149,6 +149,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
   nls_uint32 s_offset;
 
   /* Compute the length.  */
+  s_offset = get_uint32 (bfp, offset);
   length = 0;
   for (i = 4; ; i += 8)
     {
@@ -158,9 +159,14 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
       nls_uint32 ss_length;
       nls_uint32 ss_offset;
       size_t ss_end;
+      size_t s_end;
       size_t n;
 
+      s_end = xsum (s_offset, segsize);
+      if (size_overflow_p (s_end) || s_end > bfp->size)
+        error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
       length += segsize;
+      s_offset += segsize;
 
       if (sysdepref == SEGMENTS_END)
         break;
@@ -175,7 +181,7 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
       ss_end = xsum (ss_offset, ss_length);
       if (size_overflow_p (ss_end) || ss_end > bfp->size)
         error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
-      if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
+      if (!(ss_length > 0 && bfp->data[ss_end - 1] == '\0'))
         {
           char location[30];
           sprintf (location, "sysdep_segment[%u]", (unsigned int) sysdepref);
@@ -198,11 +204,8 @@ get_sysdep_string (const struct binary_mo_file *bfp, size_t offset,
       nls_uint32 sysdep_segment_offset;
       nls_uint32 ss_length;
       nls_uint32 ss_offset;
-      size_t s_end = xsum (s_offset, segsize);
       size_t n;
 
-      if (size_overflow_p (s_end) || s_end > bfp->size)
-        error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
       memcpy (p, bfp->data + s_offset, segsize);
       p += segsize;
       s_offset += segsize;