read-mo: Check size_t overflow

* read-mo.c: Include "xsize.h".
(get_string): Use xsum3 to avoid overflow, when checking length
and offset fields.
Reported by Jakub Wilk at:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769901>.

diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
index d392ba7d439be4a55d45bdf61a663a09c7036ad0..e250ae14494f791e61d9dbd1c8505288b2844f4b 100644 (file)
--- a/gettext-tools/src/ChangeLog
+++ b/gettext-tools/src/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-18  Daiki Ueno  <ueno@gnu.org>
+
+       * read-mo.c: Include "xsize.h".
+       (get_string): Use xsum3 to avoid overflow, when checking length
+       and offset fields.
+       Reported by Jakub Wilk at:
+       <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769901>.
+
 2014-10-28  Daiki Ueno  <ueno@gnu.org>
 
        xgettext: Allow plural extraction from a single argument function

diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index 9e0220ce4338f492374ae1dfa67d7a87a472d8ab..c867236d85d8351d4905a5ba9f6157230af4643d 100644 (file)
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -38,6 +38,7 @@
 #include "message.h"
 #include "format.h"
 #include "gettext.h"
+#include "xsize.h"
 
 #define _(str) gettext (str)
 
@@ -121,8 +122,9 @@ get_string (const struct binary_mo_file *bfp, size_t offset, size_t *lengthp)
   /* See 'struct string_desc'.  */
   nls_uint32 s_length = get_uint32 (bfp, offset);
   nls_uint32 s_offset = get_uint32 (bfp, offset + 4);
+  size_t s_end = xsum3 (s_offset, s_length, 1);
 
-  if (s_offset + s_length + 1 > bfp->size)
+  if (size_overflow_p (s_end) || s_end > bfp->size)
     error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
   if (bfp->data[s_offset + s_length] != '\0')
     error (EXIT_FAILURE, 0,