diff options
author | Rich Felker <dalias@aerifal.cx> | 2014-07-29 12:25:41 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2014-07-29 12:25:41 -0400 |
commit | e4dd0ab83cc191ba4e7d6e10328c30280d267ed9 (patch) | |
tree | 5b2730477149f95bea44fddaac819f95952bfc8e | |
parent | 6e89210669dfc93302a181a80ed440132e41f0dd (diff) | |
download | musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.gz musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.bz2 musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.tar.xz musl-e4dd0ab83cc191ba4e7d6e10328c30280d267ed9.zip |
harden dcngettext plural processing
while the __mo_lookup backend can verify that the translated message
ends with a null terminator, is has no way to know nplurals and thus
no way to verify that sufficiently many null terminators are present
in the string to satisfy all plural forms. the code in dcngettext was
already attempting to avoid reading past the end of the mo file
mapping, but failed to do so because the strlen call itself could
over-read. using strnlen instead allows us to avoid the problem.
-rw-r--r-- | src/locale/dcngettext.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/locale/dcngettext.c b/src/locale/dcngettext.c index 51e6522a..d3462fd2 100644 --- a/src/locale/dcngettext.c +++ b/src/locale/dcngettext.c @@ -229,8 +229,9 @@ notrans: unsigned long plural = __pleval(p->plural_rule, n); if (plural > p->nplurals) goto notrans; while (plural--) { - size_t l = strlen(trans); - if (l+1 >= p->map_size - (trans - (char *)p->map)) + size_t rem = p->map_size - (trans - (char *)p->map); + size_t l = strnlen(trans, rem); + if (l+1 >= rem) goto notrans; trans += l+1; } |