/a/builder/home/kraj/work/oe/musl/src/locale/dcngettext.c

Bug Summary

File:	src/locale/dcngettext.c
Location:	line 139, column 21
Description:	Potential leak of memory pointed to by 'p'

Annotated Source Code

#include <libintl.h>

#include <stdlib.h>

#include <string.h>

#include <errno(*__errno_location()).h>

#include <limits.h>

#include <sys/stat.h>

#include <ctype.h>

#include "locale_impl.h"

#include "libc.h"

#include "atomic.h"

struct binding {

struct binding *next;

int dirlen;

volatile int active;

char *domainname;

char *dirname;

char buf[];

};

static void *volatile bindings;

static char *gettextdir(const char *domainname, size_t *dirlen)

{

struct binding *p;

for (p=bindings; p; p=p->next) {

if (!strcmp(p->domainname, domainname) && p->active) {

*dirlen = p->dirlen;

return (char *)p->dirname;

}

return 0;

}

char *bindtextdomain(const char *domainname, const char *dirname)

{

static volatile int lock[2];

struct binding *p, *q;

if (!domainname) return 0;

if (!dirname) return gettextdir(domainname, &(size_t){0});

size_t domlen = strlen(domainname);

size_t dirlen = strlen(dirname);

if (domlen > NAME_MAX255 || dirlen >= PATH_MAX4096) {

errno(*__errno_location()) = EINVAL22;

return 0;

}

LOCK(lock)__lock(lock);

for (p=bindings; p; p=p->next) {

if (!strcmp(p->domainname, domainname) &&

!strcmp(p->dirname, dirname)) {

break;

}

if (!p) {

p = malloc(sizeof *p + domlen + dirlen + 2);

if (!p) {

UNLOCK(lock)__unlock(lock);

return 0;

}

p->next = bindings;

p->dirlen = dirlen;

p->domainname = p->buf;

p->dirname = p->buf + domlen + 1;

memcpy(p->domainname, domainname, domlen+1);

memcpy(p->dirname, dirname, dirlen+1);

a_cas_pa_cas_p(&bindings, bindings, p);

}

a_storea_store(&p->active, 1);

for (q=bindings; q; q=q->next) {

if (!strcmp(p->domainname, domainname) && q != p)

a_storea_store(&q->active, 0);

}

UNLOCK(lock)__unlock(lock);

return (char *)p->dirname;

}

static const char catnames[][12] = {

"LC_CTYPE",

"LC_NUMERIC",

"LC_TIME",

"LC_COLLATE",

"LC_MONETARY",

"LC_MESSAGES",

};

static const char catlens[] = { 8, 10, 7, 10, 11, 11 };

struct msgcat {

struct msgcat *next;

const void *map;

100

size_t map_size;

101

void *volatile plural_rule;

102

volatile int nplurals;

103

char name[];

104

};

105

106

static char *dummy_gettextdomain()

107

{

108

return "messages";

109

}

110

111

weak_alias(dummy_gettextdomain, __gettextdomain)extern __typeof(dummy_gettextdomain) __gettextdomain __attribute__
((weak, alias("dummy_gettextdomain")));

112

113

const unsigned char *__map_file(const char *, size_t *);

114

int __munmap(void *, size_t);

115

unsigned long __pleval(const char *, unsigned long);

116

117

char *dcngettext(const char *domainname, const char *msgid1, const char *msgid2, unsigned long int n, int category)

118

{

119

static struct msgcat *volatile cats;

120

struct msgcat *p;

121

struct __locale_struct *loc = CURRENT_LOCALE(__pthread_self()->locale);

122

const struct __locale_map *lm;

123

const char *dirname, *locname, *catname;

124

size_t dirlen, loclen, catlen, domlen;

125

126

if ((unsigned)category >= LC_ALL6) goto notrans;

Assuming 'category' is < 6

→

←

Taking false branch

→

127

128

if (!domainname) domainname = __gettextdomain();

←

Assuming 'domainname' is non-null

→

←

Taking false branch

→

129

130

domlen = strlen(domainname);

131

if (domlen > NAME_MAX255) goto notrans;

←

Assuming 'domlen' is <= 255

→

←

Taking false branch

→

132

133

dirname = gettextdir(domainname, &dirlen);

134

if (!dirname) goto notrans;

←

Assuming 'dirname' is non-null

→

←

Taking false branch

→

135

136

lm = loc->cat[category];

137

if (!lm) {

←

Assuming 'lm' is non-null

→

←

Taking false branch

→

138

notrans:

139

return (char *) ((n == 1) ? msgid1 : msgid2);

←

Potential leak of memory pointed to by 'p'

140

}

141

locname = lm->name;

142

143

catname = catnames[category];

144

catlen = catlens[category];

145

loclen = strlen(locname);

146

147

size_t namelen = dirlen+1 + loclen+1 + catlen+1 + domlen+3;

148

char name[namelen+1], *s = name;

149

150

memcpy(s, dirname, dirlen);

151

s[dirlen] = '/';

152

s += dirlen + 1;

153

memcpy(s, locname, loclen);

154

s[loclen] = '/';

155

s += loclen + 1;

156

memcpy(s, catname, catlen);

157

s[catlen] = '/';

158

s += catlen + 1;

159

memcpy(s, domainname, domlen);

160

s[domlen] = '.';

161

s[domlen+1] = 'm';

162

s[domlen+2] = 'o';

163

s[domlen+3] = 0;

164

165

for (p=cats; p; p=p->next)

←

Loop condition is false. Execution continues on line 169

→

166

if (!strcmp(p->name, name))

167

break;

168

169

if (!p) {

←

Taking true branch

→

170

void *old_cats;

171

size_t map_size;

172

const void *map = __map_file(name, &map_size);

173

if (!map) goto notrans;

←

Assuming 'map' is non-null

→

←

Taking false branch

→

174

p = malloc(sizeof *p + namelen + 1);

←

Memory is allocated

→

175

if (!p) {

←

Assuming 'p' is non-null

→

←

Taking false branch

→

176

__munmap((void *)map, map_size);

177

goto notrans;

178

}

179

p->map = map;

180

p->map_size = map_size;

181

memcpy(p->name, name, namelen+1);

182

do {

←

Loop condition is false. Exiting loop

→

183

old_cats = cats;

184

p->next = old_cats;

185

} while (a_cas_pa_cas_p(&cats, old_cats, p) != old_cats);

186

}

187

188

const char *trans = __mo_lookup(p->map, p->map_size, msgid1);

189

if (!trans) goto notrans;

←

Assuming 'trans' is null

Taking true branch

Control jumps to line 139

→

190

191

/* Non-plural-processing gettext forms pass a null pointer as

192

* msgid2 to request that dcngettext suppress plural processing. */

193

if (!msgid2) return (char *)trans;

194

195

if (!p->plural_rule) {

196

const char *rule = "n!=1;";

197

unsigned long np = 2;

198

const char *r = __mo_lookup(p->map, p->map_size, "");

199

char *z;

200

while (r && strncmp(r, "Plural-Forms:", 13)) {

201

z = strchr(r, '\n');

202

r = z ? z+1 : 0;

203

}

204

if (r) {

205

r += 13;

206

while (isspace(*r)__isspace(*r)) r++;

207

if (!strncmp(r, "nplurals=", 9)) {

208

np = strtoul(r+9, &z, 10);

209

r = z;

210

}

211

while (*r && *r != ';') r++;

212

if (*r) {

213

r++;

214

while (isspace(*r)__isspace(*r)) r++;

215

if (!strncmp(r, "plural=", 7))

216

rule = r+7;

217

}

218

}

219

a_storea_store(&p->nplurals, np);

220

a_cas_pa_cas_p(&p->plural_rule, 0, (void *)rule);

221

}

222

if (p->nplurals) {

223

unsigned long plural = __pleval(p->plural_rule, n);

224

if (plural > p->nplurals) goto notrans;

225

while (plural--) {

226

size_t rem = p->map_size - (trans - (char *)p->map);

227

size_t l = strnlen(trans, rem);

228

if (l+1 >= rem)

229

goto notrans;

230

trans += l+1;

231

}

232

}

233

return (char *)trans;

234

}

235

236

char *dcgettext(const char *domainname, const char *msgid, int category)

237

{

238

return dcngettext(domainname, msgid, 0, 1, category);

239

}

240

241

char *dngettext(const char *domainname, const char *msgid1, const char *msgid2, unsigned long int n)

242

{

243

return dcngettext(domainname, msgid1, msgid2, n, LC_MESSAGES5);

244

}

245

246

char *dgettext(const char *domainname, const char *msgid)

247

{

248

return dcngettext(domainname, msgid, 0, 1, LC_MESSAGES5);

249

}