This commit: commit 006dd86111c44572dbd3b26e9c63dd0f834d7762 Author: Jeff Law <law at redhat.com> Date: Thu Jun 21 17:15:38 2012 -0600 [BZ #14277] * intl/dcigettext.c (_nl_find_msg): Avoid use after potential free. Simplify list management for _LIBC case. Fails to check malloc's return in intl/dcigettext.c (_nl_find_msg): ~~~~ freemem_size = INITIAL_BLOCK_SIZE; newmem = (transmem_block_t *) malloc (freemem_size); # ifdef _LIBC /* Add the block to the list of blocks we have to free at some point. */ newmem->next = transmem_list; transmem_list = newmem; ~~~ If malloc fails then newmem is NULL then newmem->next results in a fault. The fix is easy enough, check for newmem != NULL, and fall through to the error condition below which returns (char *) -1 e.g. resource error. The problem is that returning (char *) -1 will break all sorts of other callers, so while what we did is correct, the real failure case fix is slightly broader.
Patch posted: http://sourceware.org/ml/libc-alpha/2013-05/msg00190.html
Upstream gnu gettext bug submitted: http://savannah.gnu.org/bugs/?38930
Fixed by: commit 7a44c18fb4b1a65ebb1fece0b0d04f2570ed4d82 Author: Carlos O'Donell <carlos@redhat.com> Date: Wed May 22 14:50:26 2013 -0400 Fix _nl_find_msg malloc failure case, and callers.