Bug 1733869 - gettext: Getting errors in double free with msgfmt command.
Summary: gettext: Getting errors in double free with msgfmt command.
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: gettext
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sundeep Anand
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 05:46 UTC by Pooja Yadav
Modified: 2020-04-13 11:13 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Pooja Yadav 2019-07-29 05:46:04 UTC
Description of problem: Error in poc, please refer the result section for details.


Version-Release number of selected component (if applicable):
gettext-0.19.8.1-18.fc30.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Clone https://github.com/CCCCCrash/POCs.git.
2. Run valgrind msgfmt poc command.
3. Observe the output.

Actual results:
[poyadav@localhost doublefree]$ valgrind msgfmt poc
==8072== Memcheck, a memory error detector
==8072== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8072== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==8072== Command: msgfmt poc
==8072== 
==8072== Conditional jump or move depends on uninitialised value(s)
==8072==    at 0x48D9940: freea (in /usr/lib64/libgettextlib-0.19.8.1.so)
==8072==    by 0x487E8EA: po_lex_charset_set (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487E098: po_gram_parse (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487EB9A: ??? (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487A773: catalog_reader_parse (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x10E7C7: ??? (in /usr/bin/msgfmt)
==8072==    by 0x10D8EB: ??? (in /usr/bin/msgfmt)
==8072==    by 0x4AABF32: (below main) (in /usr/lib64/libc-2.29.so)
==8072== 
poc:17: duplicate message definition...
poc:16: ...this is the location of the first definition
poc:18:3: syntax error
poc:18: keyword "n" unknown
poc:19: end-of-line within string
poc:28: duplicate message definition...
poc:24: ...this is the location of the first definition
poc:35: keyword "msgud_plural" unknown
poc:34: missing 'msgstr' section
poc:35:13: syntax error
poc:40: end-of-line within string
poc:46: end-of-line within string
poc: warning: Charset missing in header.
              Message conversion to user's charset will not work.
poc:42: duplicate message definition...
poc:6: ...this is the location of the first definition
poc:46:2: syntax error
poc:46: keyword "Ep" unknown
poc:47: keyword "C" unknown
poc:48: keyword "s" unknown
poc:49: keyword "bo" unknown
poc:50: keyword "S" unknown
poc:50:236: invalid control sequence
poc:50:397: invalid control sequence
poc:51: end-of-line within string
msgfmt: too many errors, aborting
==8072== 
==8072== HEAP SUMMARY:
==8072==     in use at exit: 59,783 bytes in 123 blocks
==8072==   total heap usage: 547 allocs, 424 frees, 99,479 bytes allocated
==8072== 
==8072== LEAK SUMMARY:
==8072==    definitely lost: 650 bytes in 82 blocks
==8072==    indirectly lost: 0 bytes in 0 blocks
==8072==      possibly lost: 0 bytes in 0 blocks
==8072==    still reachable: 59,133 bytes in 41 blocks
==8072==         suppressed: 0 bytes in 0 blocks
==8072== Rerun with --leak-check=full to see details of leaked memory
==8072== 
==8072== Use --track-origins=yes to see where uninitialised values come from
==8072== For lists of detected and suppressed errors, rerun with: -s
==8072== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


Expected results:
No errors.

Additional info:

Comment 1 Sundeep Anand 2020-04-07 06:43:23 UTC
with gettext-0.20.1-3.fc31.x86_64

[suanand@localhost doublefree]$ valgrind msgfmt poc 
==16488== Memcheck, a memory error detector
==16488== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16488== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==16488== Command: msgfmt poc
==16488== 
poc:17: duplicate message definition...
poc:16: ...this is the location of the first definition
poc:18:3: syntax error
poc:18: keyword "n" unknown
poc:19: end-of-line within string
poc:28: duplicate message definition...
poc:24: ...this is the location of the first definition
poc:35: keyword "msgud_plural" unknown
poc:34: missing 'msgstr' section
poc:35:13: syntax error
poc:40: end-of-line within string
poc:46: end-of-line within string
poc: warning: Charset missing in header.
              Message conversion to user's charset will not work.
poc:42: duplicate message definition...
poc:6: ...this is the location of the first definition
poc:46:2: syntax error
poc:46: keyword "Ep" unknown
poc:47: keyword "C" unknown
poc:48: keyword "s" unknown
poc:49: keyword "bo" unknown
poc:50: keyword "S" unknown
poc:50:236: invalid control sequence
poc:50:397: invalid control sequence
poc:51: end-of-line within string
msgfmt: too many errors, aborting
==16488== 
==16488== HEAP SUMMARY:
==16488==     in use at exit: 59,727 bytes in 123 blocks
==16488==   total heap usage: 547 allocs, 424 frees, 99,367 bytes allocated
==16488== 
==16488== LEAK SUMMARY:
==16488==    definitely lost: 650 bytes in 82 blocks
==16488==    indirectly lost: 0 bytes in 0 blocks
==16488==      possibly lost: 0 bytes in 0 blocks
==16488==    still reachable: 59,077 bytes in 41 blocks
==16488==         suppressed: 0 bytes in 0 blocks
==16488== Rerun with --leak-check=full to see details of leaked memory
==16488== 
==16488== For lists of detected and suppressed errors, rerun with: -s
==16488== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Though we have msgfmt reporting errors and some memory leaks as well; valgrind says 0 errors for memory error!

Comment 2 Pooja Yadav 2020-04-13 11:13:29 UTC
(In reply to Sundeep Anand from comment #1)
> with gettext-0.20.1-3.fc31.x86_64
> 
> [suanand@localhost doublefree]$ valgrind msgfmt poc 
> ==16488== Memcheck, a memory error detector
> ==16488== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==16488== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
> ==16488== Command: msgfmt poc
> ==16488== 
> poc:17: duplicate message definition...
> poc:16: ...this is the location of the first definition
> poc:18:3: syntax error
> poc:18: keyword "n" unknown
> poc:19: end-of-line within string
> poc:28: duplicate message definition...
> poc:24: ...this is the location of the first definition
> poc:35: keyword "msgud_plural" unknown
> poc:34: missing 'msgstr' section
> poc:35:13: syntax error
> poc:40: end-of-line within string
> poc:46: end-of-line within string
> poc: warning: Charset missing in header.
>               Message conversion to user's charset will not work.
> poc:42: duplicate message definition...
> poc:6: ...this is the location of the first definition
> poc:46:2: syntax error
> poc:46: keyword "Ep" unknown
> poc:47: keyword "C" unknown
> poc:48: keyword "s" unknown
> poc:49: keyword "bo" unknown
> poc:50: keyword "S" unknown
> poc:50:236: invalid control sequence
> poc:50:397: invalid control sequence
> poc:51: end-of-line within string
> msgfmt: too many errors, aborting
> ==16488== 
> ==16488== HEAP SUMMARY:
> ==16488==     in use at exit: 59,727 bytes in 123 blocks
> ==16488==   total heap usage: 547 allocs, 424 frees, 99,367 bytes allocated
> ==16488== 
> ==16488== LEAK SUMMARY:
> ==16488==    definitely lost: 650 bytes in 82 blocks
> ==16488==    indirectly lost: 0 bytes in 0 blocks
> ==16488==      possibly lost: 0 bytes in 0 blocks
> ==16488==    still reachable: 59,077 bytes in 41 blocks
> ==16488==         suppressed: 0 bytes in 0 blocks
> ==16488== Rerun with --leak-check=full to see details of leaked memory
> ==16488== 
> ==16488== For lists of detected and suppressed errors, rerun with: -s
> ==16488== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
> 
> Though we have msgfmt reporting errors and some memory leaks as well;
> valgrind says 0 errors for memory error!

Yes, correct with gettext-0.20.1-4.fc32.x86_64 also,valgrind says ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


Note You need to log in before you can comment on or make changes to this bug.