summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2014-07-29 12:25:41 -0400
committerRich Felker <dalias@aerifal.cx>2014-07-29 12:25:41 -0400
commite4dd0ab83cc191ba4e7d6e10328c30280d267ed9 (patch)
tree5b2730477149f95bea44fddaac819f95952bfc8e
parent6e89210669dfc93302a181a80ed440132e41f0dd (diff)
downloadmusl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.gz
musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.bz2
musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.xz
musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.zip
harden dcngettext plural processing
while the __mo_lookup backend can verify that the translated message ends with a null terminator, is has no way to know nplurals and thus no way to verify that sufficiently many null terminators are present in the string to satisfy all plural forms. the code in dcngettext was already attempting to avoid reading past the end of the mo file mapping, but failed to do so because the strlen call itself could over-read. using strnlen instead allows us to avoid the problem.
-rw-r--r--src/locale/dcngettext.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/locale/dcngettext.c b/src/locale/dcngettext.c
index 51e6522a..d3462fd2 100644
--- a/src/locale/dcngettext.c
+++ b/src/locale/dcngettext.c
@@ -229,8 +229,9 @@ notrans:
unsigned long plural = __pleval(p->plural_rule, n);
if (plural > p->nplurals) goto notrans;
while (plural--) {
- size_t l = strlen(trans);
- if (l+1 >= p->map_size - (trans - (char *)p->map))
+ size_t rem = p->map_size - (trans - (char *)p->map);
+ size_t l = strnlen(trans, rem);
+ if (l+1 >= rem)
goto notrans;
trans += l+1;
}