From: Daiki Ueno <ueno@gnu.org>
Date: Tue, 18 Nov 2014 03:11:22 +0000 (+0900)
Subject: read-mo: Check size_t overflow
X-Git-Tag: v0.19.4~65
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abf93d1305d1fc59142d2231ec5f94286038a98a;p=thirdparty%2Fgettext.git

read-mo: Check size_t overflow

* read-mo.c: Include "xsize.h".
(get_string): Use xsum3 to avoid overflow, when checking length
and offset fields.
Reported by Jakub Wilk at:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769901>.
---

diff --git a/gettext-tools/src/ChangeLog b/gettext-tools/src/ChangeLog
index d392ba7d4..e250ae144 100644
--- a/gettext-tools/src/ChangeLog
+++ b/gettext-tools/src/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-18  Daiki Ueno  <ueno@gnu.org>
+
+	* read-mo.c: Include "xsize.h".
+	(get_string): Use xsum3 to avoid overflow, when checking length
+	and offset fields.
+	Reported by Jakub Wilk at:
+	<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769901>.
+
 2014-10-28  Daiki Ueno  <ueno@gnu.org>
 
 	xgettext: Allow plural extraction from a single argument function
diff --git a/gettext-tools/src/read-mo.c b/gettext-tools/src/read-mo.c
index 9e0220ce4..c867236d8 100644
--- a/gettext-tools/src/read-mo.c
+++ b/gettext-tools/src/read-mo.c
@@ -38,6 +38,7 @@
 #include "message.h"
 #include "format.h"
 #include "gettext.h"
+#include "xsize.h"
 
 #define _(str) gettext (str)
 
@@ -121,8 +122,9 @@ get_string (const struct binary_mo_file *bfp, size_t offset, size_t *lengthp)
   /* See 'struct string_desc'.  */
   nls_uint32 s_length = get_uint32 (bfp, offset);
   nls_uint32 s_offset = get_uint32 (bfp, offset + 4);
+  size_t s_end = xsum3 (s_offset, s_length, 1);
 
-  if (s_offset + s_length + 1 > bfp->size)
+  if (size_overflow_p (s_end) || s_end > bfp->size)
     error (EXIT_FAILURE, 0, _("file \"%s\" is truncated"), bfp->filename);
   if (bfp->data[s_offset + s_length] != '\0')
     error (EXIT_FAILURE, 0,