Re: lib/58136 (Use after free in libintl pgettext)

To: lib-bug-people%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,riastradh%NetBSD.org@localhost,stix%stix.id.au@localhost
Subject: Re: lib/58136 (Use after free in libintl pgettext)
From: riastradh%NetBSD.org@localhost
Date: Sun, 18 Aug 2024 17:30:32 +0000 (UTC)

Synopsis: Use after free in libintl pgettext

State-Changed-From-To: needs-pullups->open
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Sun, 18 Aug 2024 17:30:32 +0000
State-Changed-Why:
This is not fixed -- it has no test case and there's still undefined
behaviour (referring to a pointer after it has been freed), requiring
another patch:

--- gettext.c
+++ gettext.c
@@ -174,10 +174,13 @@
 
 	translation = dcngettext(domainname, msgctxt_id,
 		msgid2, n, category);
-	free(msgctxt_id);
 
-	if (translation == msgctxt_id)
+	if (translation == msgctxt_id) {
+		free(msgctxt_id);
 		return msgid1;
+	}
+
+	free(msgctxt_id);
 
 	p = strchr(translation, '\004');
 	if (p)

(or something to that effect)

Prev by Date: Re: misc/58063 (nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees)
Next by Date: Re: port-alpha/58602 (cy82c693_init() calls bus_space_map() with spin lock held)
Previous by Thread: Re: lib/58136 (Use after free in libintl pgettext)
Next by Thread: Re: lib/58136 (Use after free in libintl pgettext)
Indexes:

Home | Main Index | Thread Index | Old Index