+2014-12-05 Daiki Ueno <ueno@gnu.org>
+
+ msgunfmt: Avoid integer overflow using xsize
+ * read-mo.c (get_uint32, get_sysdep_string): Use xsum to avoid
+ integer overflow, when checking length and offset fields.
+ Reported by Jakub Wilk at:
+ <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772088>.
+
2014-12-04 Daiki Ueno <ueno@gnu.org>
libgettextsrc: Follow plural.c -> pluralx.c file name change
get_uint32 (const struct binary_mo_file *bfp, size_t offset)
{
nls_uint32 b0, b1, b2, b3;
+ size_t end = xsum (offset, 4);
- if (offset + 4 > bfp->size)
+ if (size_overflow_p (end) || end > bfp->size)
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
b0 = *(unsigned char *) (bfp->data + offset + 0);
nls_uint32 sysdep_segment_offset;
nls_uint32 ss_length;
nls_uint32 ss_offset;
+ size_t ss_end;
size_t n;
length += segsize;
sysdep_segment_offset = header->sysdep_segments_offset + sysdepref * 8;
ss_length = get_uint32 (bfp, sysdep_segment_offset);
ss_offset = get_uint32 (bfp, sysdep_segment_offset + 4);
- if (ss_offset + ss_length > bfp->size)
+ ss_end = xsum (ss_offset, ss_length);
+ if (size_overflow_p (ss_end) || ss_end > bfp->size)
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
if (!(ss_length > 0 && bfp->data[ss_offset + ss_length - 1] == '\0'))
{
nls_uint32 sysdep_segment_offset;
nls_uint32 ss_length;
nls_uint32 ss_offset;
+ size_t s_end = xsum (s_offset, segsize);
size_t n;
- if (s_offset + segsize > bfp->size)
+ if (size_overflow_p (s_end) || s_end > bfp->size)
error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
memcpy (p, bfp->data + s_offset, segsize);
p += segsize;
projects / thirdparty / gettext.git / commitdiff
