From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-7401-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 14410 invoked by alias); 16 Nov 2007 01:22:34 -0000
Received: (qmail 14387 invoked by uid 48); 16 Nov 2007 01:22:24 -0000
Date: Fri, 16 Nov 2007 01:22:00 -0000
From: "bruno at clisp dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Message-ID: <20071116012223.5346.bruno@clisp.org>
Reply-To: sourceware-bugzilla@sourceware.org
Subject: [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited
X-Bugzilla-Reason: CC
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
X-SW-Source: 2007-11/txt/msg00058.txt.bz2

On most systems, the stack size is limited ("ulimit -s 8192" is often the
default).

In these conditions, gettext() crashes when the argument string is longer than
the maximum stack size.

This was reported in
<http://www.securityfocus.com/archive/1/483648/30/30/threaded>
and then reported to bug-gnu-gettext by Ismail Dönmez. Find attached a test case.
================================ foo.c ========================
#include <stdlib.h>
#include <string.h>

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>

#include <libintl.h>

int
main ()
{
  size_t n;
  struct rlimit limit;
  char *msg;

  n = 1000000;

#ifdef RLIMIT_STACK
  if (getrlimit (RLIMIT_STACK, &limit) >= 0)
    {
      if (limit.rlim_max == RLIM_INFINITY || limit.rlim_max > n)
        limit.rlim_max = n;
      limit.rlim_cur = limit.rlim_max;
      setrlimit (RLIMIT_STACK, &limit);
    }
#endif

  msg = (char *) malloc (n + 1);
  memset (msg, 'x', n);
  msg[n] = '\0';

  msg = gettext (msg);

  return 0;
}
===============================================================
$ gcc -Wall foo.c
$ ./a.out 
Segmentation fault

-- 
           Summary: gettext crashes when a very long string is passed as
                    argument and the stack size is limited
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: minor
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: bruno at clisp dot org
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i586-suse-linux
  GCC host triplet: i586-suse-linux
GCC target triplet: i586-suse-linux


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.