`dgettext` and `dcgettext` Segmentation Fault

[EgodPrime]

Crash report

What happened?

In the documentation of locale, it says gettext
Return the localized translation of message, based on the current global domain, language, and locale directory and dgettext is similar to gettext but looks the message up in the specified domain.

However, I found the dgettext may be unsafe for special input (i.e., a super long domain with an empty msg). The same problem exists in the dcgettext.

import locale
a = 'x'*10000000
b = ''
locale.dgettext(a,b)

import locale
a = 'x'*10000000
b = ''
c = 1
locale.dcgettext(a,b,c)

(py313)  dcov@dcov-server:~/auto-pyapi-fuzzer$ gdb python
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from python...
set ar(gdb) set args bugs/bug3.py 
(gdb) r
Starting program: /home/dcov/miniconda3/envs/py313/bin/python bugs/bug3.py 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7c83a7e in __dcigettext (domainname=domainname@entry=0x7ffff6e6e038 'x' <repeats 200 times>..., msgid1=msgid1@entry=0x8ae530 <_PyRuntime+35344> "", msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:651
651     dcigettext.c: No such file or directory.

CPython versions tested on:

3.9, 3.10, 3.11, 3.12, 3.13

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.9.20 (main, Oct 3 2024, 07:27:41) [GCC 11.2.0]
Python 3.10.15 (main, Oct 3 2024, 07:27:34) [GCC 11.2.0]
Python 3.11.10 (main, Oct 3 2024, 07:29:13) [GCC 11.2.0]
Python 3.12.7 | packaged by Anaconda, Inc. | (main, Oct 4 2024, 13:27:36) [GCC 11.2.0]
Python 3.13.0 | packaged by Anaconda, Inc. | (main, Oct 7 2024, 21:29:38) [GCC 11.2.0]

[tomasr8]

I'm pretty sure this is not a CPython bug but an issue in libc gettext. Specifically this line:

https://github.com/bminor/glibc/blob/7f045c0b48633b198b42bebdff0024d7cfab3901/intl/dcigettext.c#L651-L652

It calls alloca() passing it the domain length as the argument which likely overflows the stack and causes a segfault.

[vstinner]

Please report the bug to the glibc upstream: https://sourceware.org/bugzilla/ (file a new bug with the "glibc" project).

I close this Python issue.

[tomasr8]

Sure, I can do it later today :)

[EgodPrime]

@tomasr8 I'd appreciate it if you let me know once you have finished the report.

[tomasr8]

I had to wait a day for my account to be created. The bug report is here: https://sourceware.org/bugzilla/show_bug.cgi?id=32380

[StanFromIreland]

This is a duplicate of still open #87765