[Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited

[Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited

[bruno at clisp dot org]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]

On most systems, the stack size is limited ("ulimit -s 8192" is often the
default).

In these conditions, gettext() crashes when the argument string is longer than
the maximum stack size.

This was reported in
<http://www.securityfocus.com/archive/1/483648/30/30/threaded>
and then reported to bug-gnu-gettext by Ismail Dönmez. Find attached a test case.
================================ foo.c ========================
#include <stdlib.h>
#include <string.h>

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>

#include <libintl.h>

int
main ()
{
  size_t n;
  struct rlimit limit;
  char *msg;

  n = 1000000;

#ifdef RLIMIT_STACK
  if (getrlimit (RLIMIT_STACK, &limit) >= 0)
    {
      if (limit.rlim_max == RLIM_INFINITY || limit.rlim_max > n)
        limit.rlim_max = n;
      limit.rlim_cur = limit.rlim_max;
      setrlimit (RLIMIT_STACK, &limit);
    }
#endif

  msg = (char *) malloc (n + 1);
  memset (msg, 'x', n);
  msg[n] = '\0';

  msg = gettext (msg);

  return 0;
}
===============================================================
$ gcc -Wall foo.c
$ ./a.out 
Segmentation fault

-- 
           Summary: gettext crashes when a very long string is passed as
                    argument and the stack size is limited
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: minor
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: bruno at clisp dot org
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i586-suse-linux
  GCC host triplet: i586-suse-linux
GCC target triplet: i586-suse-linux


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited

[bruno at clisp dot org]

------- Additional Comments From bruno at clisp dot org  2007-11-16 01:24 -------
Created an attachment (id=2091)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2091&action=view)
test case

Test case. If you are on a system which has a limited stack size, you can
omit the getrlimit/setrlimit business and bump n (e.g. to 10000000).


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited

[bruno at clisp dot org]

------- Additional Comments From bruno at clisp dot org  2007-11-16 01:36 -------
Created an attachment (id=2092)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2092&action=view)
patch that fixes the bug

The cause of the bug is in dcigettext.c, the alloca() call, whose size is
computed as <fixed> + strlen (msgid1). A possible fix would be use malloc()
instead of alloca() when the size is > 4000. But in this case it is possible
to get away with a bounded-size allocation. This is better because the input
string does not have to be copied at all.

The attached patch has been verified to fix the bug in the intl/ package of GNU

gettext. I expect that it also fixes the bug when applied inside glibc. The
patch is relative to the glibc CVS as of today.

You might also want to add the test case to the test suite.


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited

[ismail at pardus dot org dot tr]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ismail at pardus dot org dot
                   |                            |tr


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited

[bruno at clisp dot org]

------- Additional Comments From bruno at clisp dot org  2007-11-16 03:10 -------
Created an attachment (id=2093)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2093&action=view)
patch that fixes the bug (corrected)


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #2092 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2007-11-17 07:38 -------
I applied the patch to the trunk.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=5346

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.