1733869 – gettext: Getting errors in double free with msgfmt command.

Bug 1733869 - gettext: Getting errors in double free with msgfmt command.

Summary: gettext: Getting errors in double free with msgfmt command.

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gettext
Sub Component:
Version:	35
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Sundeep Anand
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-29 05:46 UTC by Pooja Yadav
Modified:	2021-08-10 12:46 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Pooja Yadav 2019-07-29 05:46:04 UTC

Description of problem: Error in poc, please refer the result section for details.


Version-Release number of selected component (if applicable):
gettext-0.19.8.1-18.fc30.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Clone https://github.com/CCCCCrash/POCs.git.
2. Run valgrind msgfmt poc command.
3. Observe the output.

Actual results:
[poyadav@localhost doublefree]$ valgrind msgfmt poc
==8072== Memcheck, a memory error detector
==8072== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8072== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==8072== Command: msgfmt poc
==8072== 
==8072== Conditional jump or move depends on uninitialised value(s)
==8072==    at 0x48D9940: freea (in /usr/lib64/libgettextlib-0.19.8.1.so)
==8072==    by 0x487E8EA: po_lex_charset_set (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487E098: po_gram_parse (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487EB9A: ??? (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x487A773: catalog_reader_parse (in /usr/lib64/libgettextsrc-0.19.8.1.so)
==8072==    by 0x10E7C7: ??? (in /usr/bin/msgfmt)
==8072==    by 0x10D8EB: ??? (in /usr/bin/msgfmt)
==8072==    by 0x4AABF32: (below main) (in /usr/lib64/libc-2.29.so)
==8072== 
poc:17: duplicate message definition...
poc:16: ...this is the location of the first definition
poc:18:3: syntax error
poc:18: keyword "n" unknown
poc:19: end-of-line within string
poc:28: duplicate message definition...
poc:24: ...this is the location of the first definition
poc:35: keyword "msgud_plural" unknown
poc:34: missing 'msgstr' section
poc:35:13: syntax error
poc:40: end-of-line within string
poc:46: end-of-line within string
poc: warning: Charset missing in header.
              Message conversion to user's charset will not work.
poc:42: duplicate message definition...
poc:6: ...this is the location of the first definition
poc:46:2: syntax error
poc:46: keyword "Ep" unknown
poc:47: keyword "C" unknown
poc:48: keyword "s" unknown
poc:49: keyword "bo" unknown
poc:50: keyword "S" unknown
poc:50:236: invalid control sequence
poc:50:397: invalid control sequence
poc:51: end-of-line within string
msgfmt: too many errors, aborting
==8072== 
==8072== HEAP SUMMARY:
==8072==     in use at exit: 59,783 bytes in 123 blocks
==8072==   total heap usage: 547 allocs, 424 frees, 99,479 bytes allocated
==8072== 
==8072== LEAK SUMMARY:
==8072==    definitely lost: 650 bytes in 82 blocks
==8072==    indirectly lost: 0 bytes in 0 blocks
==8072==      possibly lost: 0 bytes in 0 blocks
==8072==    still reachable: 59,133 bytes in 41 blocks
==8072==         suppressed: 0 bytes in 0 blocks
==8072== Rerun with --leak-check=full to see details of leaked memory
==8072== 
==8072== Use --track-origins=yes to see where uninitialised values come from
==8072== For lists of detected and suppressed errors, rerun with: -s
==8072== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


Expected results:
No errors.

Additional info:

Comment 1 Sundeep Anand 2020-04-07 06:43:23 UTC

with gettext-0.20.1-3.fc31.x86_64

[suanand@localhost doublefree]$ valgrind msgfmt poc 
==16488== Memcheck, a memory error detector
==16488== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16488== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==16488== Command: msgfmt poc
==16488== 
poc:17: duplicate message definition...
poc:16: ...this is the location of the first definition
poc:18:3: syntax error
poc:18: keyword "n" unknown
poc:19: end-of-line within string
poc:28: duplicate message definition...
poc:24: ...this is the location of the first definition
poc:35: keyword "msgud_plural" unknown
poc:34: missing 'msgstr' section
poc:35:13: syntax error
poc:40: end-of-line within string
poc:46: end-of-line within string
poc: warning: Charset missing in header.
              Message conversion to user's charset will not work.
poc:42: duplicate message definition...
poc:6: ...this is the location of the first definition
poc:46:2: syntax error
poc:46: keyword "Ep" unknown
poc:47: keyword "C" unknown
poc:48: keyword "s" unknown
poc:49: keyword "bo" unknown
poc:50: keyword "S" unknown
poc:50:236: invalid control sequence
poc:50:397: invalid control sequence
poc:51: end-of-line within string
msgfmt: too many errors, aborting
==16488== 
==16488== HEAP SUMMARY:
==16488==     in use at exit: 59,727 bytes in 123 blocks
==16488==   total heap usage: 547 allocs, 424 frees, 99,367 bytes allocated
==16488== 
==16488== LEAK SUMMARY:
==16488==    definitely lost: 650 bytes in 82 blocks
==16488==    indirectly lost: 0 bytes in 0 blocks
==16488==      possibly lost: 0 bytes in 0 blocks
==16488==    still reachable: 59,077 bytes in 41 blocks
==16488==         suppressed: 0 bytes in 0 blocks
==16488== Rerun with --leak-check=full to see details of leaked memory
==16488== 
==16488== For lists of detected and suppressed errors, rerun with: -s
==16488== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Though we have msgfmt reporting errors and some memory leaks as well; valgrind says 0 errors for memory error!

Comment 2 Pooja Yadav 2020-04-13 11:13:29 UTC

(In reply to Sundeep Anand from comment #1)
> with gettext-0.20.1-3.fc31.x86_64
> 
> [suanand@localhost doublefree]$ valgrind msgfmt poc 
> ==16488== Memcheck, a memory error detector
> ==16488== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==16488== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
> ==16488== Command: msgfmt poc
> ==16488== 
> poc:17: duplicate message definition...
> poc:16: ...this is the location of the first definition
> poc:18:3: syntax error
> poc:18: keyword "n" unknown
> poc:19: end-of-line within string
> poc:28: duplicate message definition...
> poc:24: ...this is the location of the first definition
> poc:35: keyword "msgud_plural" unknown
> poc:34: missing 'msgstr' section
> poc:35:13: syntax error
> poc:40: end-of-line within string
> poc:46: end-of-line within string
> poc: warning: Charset missing in header.
>               Message conversion to user's charset will not work.
> poc:42: duplicate message definition...
> poc:6: ...this is the location of the first definition
> poc:46:2: syntax error
> poc:46: keyword "Ep" unknown
> poc:47: keyword "C" unknown
> poc:48: keyword "s" unknown
> poc:49: keyword "bo" unknown
> poc:50: keyword "S" unknown
> poc:50:236: invalid control sequence
> poc:50:397: invalid control sequence
> poc:51: end-of-line within string
> msgfmt: too many errors, aborting
> ==16488== 
> ==16488== HEAP SUMMARY:
> ==16488==     in use at exit: 59,727 bytes in 123 blocks
> ==16488==   total heap usage: 547 allocs, 424 frees, 99,367 bytes allocated
> ==16488== 
> ==16488== LEAK SUMMARY:
> ==16488==    definitely lost: 650 bytes in 82 blocks
> ==16488==    indirectly lost: 0 bytes in 0 blocks
> ==16488==      possibly lost: 0 bytes in 0 blocks
> ==16488==    still reachable: 59,077 bytes in 41 blocks
> ==16488==         suppressed: 0 bytes in 0 blocks
> ==16488== Rerun with --leak-check=full to see details of leaked memory
> ==16488== 
> ==16488== For lists of detected and suppressed errors, rerun with: -s
> ==16488== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
> 
> Though we have msgfmt reporting errors and some memory leaks as well;
> valgrind says 0 errors for memory error!

Yes, correct with gettext-0.20.1-4.fc32.x86_64 also,valgrind says ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Comment 3 Fedora Program Management 2021-04-29 15:56:06 UTC

This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Ben Cotton 2021-08-10 12:46:04 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.

Note You need to log in before you can comment on or make changes to this bug.