MantisBT - NetSurf
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002251NetSurf[All Projects] Generalpublic2015-01-07 20:322015-03-10 23:42
ReporterJames Audubon 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.3 
Target Version3.3Fixed in Version3.3 
Fixed in CI build #2525
Reported in CI build #2509
URL of problem pagehttps://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
Summary0002251: Crash at https://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
DescriptionHave been sent this link to an invoice
Netsurf crashes complaining of a serious error and spits out a log file, attached.
Not sure if page has javascript or other nasties not compatible with Netsurf but should render something or nothing instead of crashing? Thanks.
Steps To ReproduceGo to https://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
 
TagsNo tags attached.
Relationships
Attached Files? Log (36,435) 2015-01-07 20:32
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=231&type=bug
? sprite.svg (143,688) 2015-01-11 17:13
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=232&type=bug

Notes
(0000566)
Vincent Sanders   
2015-01-11 17:15   
This is actually a libsvgtiny memory corruption. I attache dteh svg that explodes. valgrind output:

$ valgrind ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738== Memcheck, a memory error detector
==3738== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3738== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3738== Command: ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF399: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1b8 is 0 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF3B1: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1bc is 4 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)


and so on
(0000569)
Vincent Sanders   
2015-01-15 13:28   
Fixed issue in libsvgtiny which should mean the latest CI build will not crash like this any more (though I do not think it will render properly yet)
(0000749)
Vincent Sanders   
2015-03-10 23:42   
Confirmed fixed in 3.3 release

Issue History
Date ModifiedUsernameFieldChange
2015-01-07 20:32James AudubonNew Issue
2015-01-07 20:32James AudubonFile Added: Log
2015-01-11 17:13Vincent SandersFile Added: sprite.svg
2015-01-11 17:15Vincent SandersNote Added: 0000566
2015-01-11 17:15Vincent SandersStatusnew => confirmed
2015-01-11 17:15Vincent SandersDescription Updatedbug_revision_view_page.php?rev_id=1383#r1383
2015-01-11 17:15Vincent SandersSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=1385#r1385
2015-01-15 13:28Vincent SandersFixed in CI build # => 2525
2015-01-15 13:28Vincent SandersNote Added: 0000569
2015-01-15 13:28Vincent SandersAssigned To => Vincent Sanders
2015-01-15 13:28Vincent SandersStatusconfirmed => resolved
2015-01-15 13:28Vincent SandersResolutionopen => fixed
2015-01-15 13:28Vincent SandersProduct Version => 3.3
2015-01-15 13:28Vincent SandersFixed in Version => 3.3
2015-01-16 09:03Vincent SandersTarget Version => 3.3
2015-03-10 23:42Vincent SandersNote Added: 0000749
2015-03-10 23:42Vincent SandersStatusresolved => closed