Jesper Fehrlund <jes...@prisjakt.nu> writes: > I'm a colleague of Johan and I spent some time looking through the > source code trying to figure out what the problem is. > The problem seems to be that if the sameargnum is used then msgid and > msgid_plural will point to the same address. > Later in remember_a_message, if the msgid has already been encountered > it will call free on the msgid, making msgid_plur an invalid pointer > which is then passed to free in remember_a_message_plural.
Thanks for looking into it. > This seems a bit tricky to solve given the current implementation. > > You can, however, solve it by making sure the two does not point to > the same address to begin with (see attached patch). Do all the tests pass after the change? I think throughout the code xgettext.c assumes that cp->msgid and cp->msgid_plural point to the same address when they are the same string. Perhaps all the address comparisons need to be replaced with strcmp. I don't oppose to do so; that could make the code less hairy, though that might sacrifice performance a bit. > An issue with this solution is that there seems to be (at least) one > other instance where the pointers could point to the same object, when > looking at lines: > 3105 free (best_cp->msgid); > 3106 if (best_cp->msgid_plural == best_cp->msgid) > 3107 best_cp->msgid_plural = msgid; > 3108 best_cp->msgid = msgid; > > So it's possible that the same bug would appear here, I'm not sure how > to exercise this code path. > A similar solution could probably be applied here. This part should be unrelated. It is there to preserve the condition: best_cp->msgid_plural == best_cp->msgid after the code conversion in earlier lines. Regards, -- Daiki Ueno
