gettext/gettext-0.19.8.1-CVE-2018-18751.patch

From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 15 Sep 2016 13:57:24 +0200
Subject: [PATCH] xgettext: Fix crash with *.po file input

When xgettext was given two *.po files with the same msgid_plural, it
crashed with double-free.  Problem reported by Davlet Panech in:
http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html

praiskup: I dropped the testsuite part, otherwise we'd have to
'autoreconf -vif' the sources.

diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y
index becf5e607..4428e7725 100644
--- a/gettext-tools/src/po-gram-gen.y
+++ b/gettext-tools/src/po-gram-gen.y
@@ -221,14 +221,11 @@ message
                   check_obsolete ($1, $3);
                   check_obsolete ($1, $4);
                   if (!$1.obsolete || pass_obsolete_entries)
-                    {
-                      do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
-                                           $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
-                                           $1.prev_ctxt,
-                                           $1.prev_id, $1.prev_id_plural,
-                                           $1.obsolete);
-                      free ($3.string);
-                    }
+                    do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,
+                                         $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,
+                                         $1.prev_ctxt,
+                                         $1.prev_id, $1.prev_id_plural,
+                                         $1.obsolete);
                   else
                     {
                       free_message_intro ($1);
diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c
index 571d18e1b..6af6d2025 100644
--- a/gettext-tools/src/read-catalog.c
+++ b/gettext-tools/src/read-catalog.c
@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,
          appropriate.  */
       mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,
                           msgstr_pos);
+      if (msgid_plural != NULL)
+        free (msgid_plural);
       mp->prev_msgctxt = prev_msgctxt;
       mp->prev_msgid = prev_msgid;
       mp->prev_msgid_plural = prev_msgid_plural;
-- 
2.19.1
security: CVE-2018-18751 Resolves: rhbz#1647044 Version: 0.19.8.1-18 2018-11-08 09:10:48 +00:00			`From dce3a16e5e9368245735e29bf498dcd5e3e474a4 Mon Sep 17 00:00:00 2001`
			`From: Daiki Ueno <ueno@gnu.org>`
			`Date: Thu, 15 Sep 2016 13:57:24 +0200`
			`Subject: [PATCH] xgettext: Fix crash with *.po file input`

			`When xgettext was given two *.po files with the same msgid_plural, it`
			`crashed with double-free. Problem reported by Davlet Panech in:`
			`http://lists.gnu.org/archive/html/bug-gettext/2016-09/msg00001.html`

			`praiskup: I dropped the testsuite part, otherwise we'd have to`
			`'autoreconf -vif' the sources.`

			`diff --git a/gettext-tools/src/po-gram-gen.y b/gettext-tools/src/po-gram-gen.y`
			`index becf5e607..4428e7725 100644`
			`--- a/gettext-tools/src/po-gram-gen.y`
			`+++ b/gettext-tools/src/po-gram-gen.y`
			`@@ -221,14 +221,11 @@ message`
			`check_obsolete ($1, $3);`
			`check_obsolete ($1, $4);`
			`if (!$1.obsolete \|\| pass_obsolete_entries)`
			`- {`
			`- do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,`
			`- $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,`
			`- $1.prev_ctxt,`
			`- $1.prev_id, $1.prev_id_plural,`
			`- $1.obsolete);`
			`- free ($3.string);`
			`- }`
			`+ do_callback_message ($1.ctxt, string2, &$1.pos, $3.string,`
			`+ $4.rhs.msgstr, $4.rhs.msgstr_len, &$4.pos,`
			`+ $1.prev_ctxt,`
			`+ $1.prev_id, $1.prev_id_plural,`
			`+ $1.obsolete);`
			`else`
			`{`
			`free_message_intro ($1);`
			`diff --git a/gettext-tools/src/read-catalog.c b/gettext-tools/src/read-catalog.c`
			`index 571d18e1b..6af6d2025 100644`
			`--- a/gettext-tools/src/read-catalog.c`
			`+++ b/gettext-tools/src/read-catalog.c`
			`@@ -397,6 +397,8 @@ default_add_message (default_catalog_reader_ty *this,`
			`appropriate. */`
			`mp = message_alloc (msgctxt, msgid, msgid_plural, msgstr, msgstr_len,`
			`msgstr_pos);`
			`+ if (msgid_plural != NULL)`
			`+ free (msgid_plural);`
			`mp->prev_msgctxt = prev_msgctxt;`
			`mp->prev_msgid = prev_msgid;`
			`mp->prev_msgid_plural = prev_msgid_plural;`
			`--`
			`2.19.1`