On 03/11/2015 02:01 AM, Daiki Ueno wrote: > It is surprising that there are no checks of lengths/offsets read from > MO files. Currently, I'm thinking of the attached patch (to gettext), > which is a bit complicated. If anyone could suggest a cleaner approach, > I'd appreciate it.
Why does it surprise you? The MO files are writable only by root, so it's not a security issue because if you could write to them you'd be root, and you'd have full access to the system anyway. The other alternative is that the filesystem is corrupted and loading the MO file crashes your application. This is expected since the filesystem is corrupted. You are suggesting we add some rather complex checking for the possibly low probability case of a corrupted filesystem. If the filesystem is corrupted other things will be failing and you need to fix the corruption. What strong technical reasons do you have for propsing these additional checks? Cheers, Carlos.
