public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited
@ 2007-11-16 1:22 bruno at clisp dot org
2007-11-16 1:24 ` [Bug libc/5346] " bruno at clisp dot org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: bruno at clisp dot org @ 2007-11-16 1:22 UTC (permalink / raw)
To: glibc-bugs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]
On most systems, the stack size is limited ("ulimit -s 8192" is often the
default).
In these conditions, gettext() crashes when the argument string is longer than
the maximum stack size.
This was reported in
<http://www.securityfocus.com/archive/1/483648/30/30/threaded>
and then reported to bug-gnu-gettext by Ismail Dönmez. Find attached a test case.
================================ foo.c ========================
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <libintl.h>
int
main ()
{
size_t n;
struct rlimit limit;
char *msg;
n = 1000000;
#ifdef RLIMIT_STACK
if (getrlimit (RLIMIT_STACK, &limit) >= 0)
{
if (limit.rlim_max == RLIM_INFINITY || limit.rlim_max > n)
limit.rlim_max = n;
limit.rlim_cur = limit.rlim_max;
setrlimit (RLIMIT_STACK, &limit);
}
#endif
msg = (char *) malloc (n + 1);
memset (msg, 'x', n);
msg[n] = '\0';
msg = gettext (msg);
return 0;
}
===============================================================
$ gcc -Wall foo.c
$ ./a.out
Segmentation fault
--
Summary: gettext crashes when a very long string is passed as
argument and the stack size is limited
Product: glibc
Version: 2.4
Status: NEW
Severity: minor
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: bruno at clisp dot org
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: i586-suse-linux
GCC host triplet: i586-suse-linux
GCC target triplet: i586-suse-linux
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
@ 2007-11-16 1:24 ` bruno at clisp dot org
2007-11-16 1:36 ` bruno at clisp dot org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: bruno at clisp dot org @ 2007-11-16 1:24 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bruno at clisp dot org 2007-11-16 01:24 -------
Created an attachment (id=2091)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=2091&action=view)
test case
Test case. If you are on a system which has a limited stack size, you can
omit the getrlimit/setrlimit business and bump n (e.g. to 10000000).
--
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
2007-11-16 1:24 ` [Bug libc/5346] " bruno at clisp dot org
@ 2007-11-16 1:36 ` bruno at clisp dot org
2007-11-16 3:05 ` ismail at pardus dot org dot tr
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: bruno at clisp dot org @ 2007-11-16 1:36 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bruno at clisp dot org 2007-11-16 01:36 -------
Created an attachment (id=2092)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=2092&action=view)
patch that fixes the bug
The cause of the bug is in dcigettext.c, the alloca() call, whose size is
computed as <fixed> + strlen (msgid1). A possible fix would be use malloc()
instead of alloca() when the size is > 4000. But in this case it is possible
to get away with a bounded-size allocation. This is better because the input
string does not have to be copied at all.
The attached patch has been verified to fix the bug in the intl/ package of GNU
gettext. I expect that it also fixes the bug when applied inside glibc. The
patch is relative to the glibc CVS as of today.
You might also want to add the test case to the test suite.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
2007-11-16 1:24 ` [Bug libc/5346] " bruno at clisp dot org
2007-11-16 1:36 ` bruno at clisp dot org
@ 2007-11-16 3:05 ` ismail at pardus dot org dot tr
2007-11-16 3:10 ` bruno at clisp dot org
2007-11-17 7:38 ` drepper at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: ismail at pardus dot org dot tr @ 2007-11-16 3:05 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |ismail at pardus dot org dot
| |tr
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
` (2 preceding siblings ...)
2007-11-16 3:05 ` ismail at pardus dot org dot tr
@ 2007-11-16 3:10 ` bruno at clisp dot org
2007-11-17 7:38 ` drepper at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: bruno at clisp dot org @ 2007-11-16 3:10 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From bruno at clisp dot org 2007-11-16 03:10 -------
Created an attachment (id=2093)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=2093&action=view)
patch that fixes the bug (corrected)
--
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2092 is|0 |1
obsolete| |
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug libc/5346] gettext crashes when a very long string is passed as argument and the stack size is limited
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
` (3 preceding siblings ...)
2007-11-16 3:10 ` bruno at clisp dot org
@ 2007-11-17 7:38 ` drepper at redhat dot com
4 siblings, 0 replies; 6+ messages in thread
From: drepper at redhat dot com @ 2007-11-17 7:38 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2007-11-17 07:38 -------
I applied the patch to the trunk.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=5346
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-11-17 7:38 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-11-16 1:22 [Bug libc/5346] New: gettext crashes when a very long string is passed as argument and the stack size is limited bruno at clisp dot org
2007-11-16 1:24 ` [Bug libc/5346] " bruno at clisp dot org
2007-11-16 1:36 ` bruno at clisp dot org
2007-11-16 3:05 ` ismail at pardus dot org dot tr
2007-11-16 3:10 ` bruno at clisp dot org
2007-11-17 7:38 ` drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).