meta/recipes-core/gettext/gettext-0.19.8.1/fix-CVE-2018-18751.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=gettext.git;a=commit;h=dce3a16]
CVE: CVE-2018-18751

Signed-off-by: Kai Kang <kai.kang@windriver.com>

From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 15 Sep 2016 13:57:24 +0200
Subject: [PATCH] xgettext: Fix crash with *.po file input

When xgettext was given two *.po files with the same msgid_plural, it
crashed with double-free.  Problem reported by Davlet Panech in:
http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html
* gettext-tools/src/po-gram-gen.y: Don't free msgid_pluralform after
calling do_callback_message, assuming that it takes ownership.
* gettext-tools/src/read-catalog.c (default_add_message): Free
msgid_plural after calling message_alloc.
* gettext-tools/tests/xgettext-po-2: New file.
* gettext-tools/tests/Makefile.am (TESTS): Add new test.
---
 gettext-tools/src/po-gram-gen.y   | 13 ++++-----
 gettext-tools/src/read-catalog.c  |  2 ++
 gettext-tools/tests/Makefile.am   |  2 +-
 gettext-tools/tests/xgettext-po-2 | 55 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 9 deletions(-)
 create mode 100755 gettext-tools/tests/xgettext-po-2

diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
index becf5e6..4428e77 100644
--- a/gettext-tools/src/po-gram-gen.y
+++ b/gettext-tools/src/po-gram-gen.y
@@ -221,14 +221,11 @@ message
                   check_obsolete ($1, $3);
                   check_obsolete ($1, $4);
                   if (!$1.obsolete || pass_obsolete_entries)
-                    {
-                      do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
-                                           $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
-                                           $1.prev_ctxt,
-                                           $1.prev_id, $1.prev_id_plural,
-                                           $1.obsolete);
-                      free ($3.string);
-                    }
+                    do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+                                         $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+                                         $1.prev_ctxt,
+                                         $1.prev_id, $1.prev_id_plural,
+                                         $1.obsolete);
                   else
                     {
                       free_message_intro ($1);
diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
index 571d18e..6af6d20 100644
--- a/gettext-tools/src/read-catalog.c
+++ b/gettext-tools/src/read-catalog.c
@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
          appropriate.  */
       mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
                           msgstr_pos);
+      if (msgid_plural != NULL)
+        free (msgid_plural);
       mp->prev_msgctxt = prev_msgctxt;
       mp->prev_msgid = prev_msgid;
       mp->prev_msgid_plural = prev_msgid_plural;
diff --git a/gettext-tools/tests/Makefile.am b/gettext-tools/tests/Makefile.am
index 23b09b1..0dfb4d8 100644
--- a/gettext-tools/tests/Makefile.am
+++ b/gettext-tools/tests/Makefile.am
@@ -95,7 +95,7 @@ TESTS = gettext-1 gettext-2 gettext-3 gettext-4 gettext-5 gettext-6 gettext-7 \
 	xgettext-perl-1 xgettext-perl-2 xgettext-perl-3 xgettext-perl-4 \
 	xgettext-perl-5 xgettext-perl-6 xgettext-perl-7 xgettext-perl-8 \
 	xgettext-php-1 xgettext-php-2 xgettext-php-3 xgettext-php-4 \
-	xgettext-po-1 \
+	xgettext-po-1 xgettext-po-2 \
 	xgettext-properties-1 \
 	xgettext-python-1 xgettext-python-2 xgettext-python-3 \
 	xgettext-python-4 \
diff --git a/gettext-tools/tests/xgettext-po-2 b/gettext-tools/tests/xgettext-po-2
new file mode 100755
index 0000000..c4bd9d0
--- /dev/null
+++ b/gettext-tools/tests/xgettext-po-2
@@ -0,0 +1,55 @@
+#! /bin/sh
+. "${srcdir=.}/init.sh"; path_prepend_ . ../src
+
+# Test PO extractors with multiple input files.
+
+cat <<EOF > xg-po-2-1.po
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+cat <<EOF > xg-po-2-2.po
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${XGETTEXT=xgettext}
+${XGETTEXT} --omit-header xg-po-2-1.po xg-po-2-2.po -o xg-po-2.tmp.po || Exit 1
+LC_ALL=C tr -d '\r' < xg-po-2.tmp.po > xg-po-2.po || Exit 1
+
+cat <<EOF > xg-po-2.ok
+msgid "first msgid"
+msgid_plural "first msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "second msgid"
+msgid_plural "second msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "third msgid"
+msgid_plural "third msgid (plural)"
+msgstr[0] ""
+msgstr[1] ""
+EOF
+
+: ${DIFF=diff}
+${DIFF} xg-po-2.ok xg-po-2.po
+result=$?
+
+exit $result
-- 
1.9.1