MantisBT - NetSurf
View Issue Details
0002672NetSurfDevelopmentpublic2019-06-12 17:102019-07-19 08:26
ReporterVincent Sanders 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version3.9 
Target Version3.9Fixed in Version3.9 
Fixed in CI build #4678
Reported in CI build #
URL of problem pagehttps://ria.ru/
Summary0002672: popular sites test causes some valgrind errors
Descriptionpopular sites test under valgrind throws some errors

somewhere in the list *after* https://interia.pl/ i think

==7270== HEAP SUMMARY:
==7270== in use at exit: 990,957 bytes in 8,434 blocks
==7270== total heap usage: 62,684,708 allocs, 62,676,274 frees, 23,372,703,503 bytes allocated
==7270==
==7270== Searching for pointers to 8,434 not-freed blocks
==7270== Checked 883,920 bytes
==7270==
==7270== LEAK SUMMARY:
==7270== definitely lost: 367,608 bytes in 2,485 blocks
==7270== indirectly lost: 587,354 bytes in 5,890 blocks
==7270== possibly lost: 928 bytes in 9 blocks
==7270== still reachable: 35,067 bytes in 50 blocks
==7270== suppressed: 0 bytes in 0 blocks
==7270== Rerun with --leak-check=full to see details of leaked memory
==7270==
==7270== ERROR SUMMARY: 8 errors from 2 contexts (suppressed: 8 from 4)
==7270==
==7270== 2 errors in context 1 of 2:
==7270== Conditional jump or move depends on uninitialised value(s)
==7270== at 0x276C0A: idna__is_valid (idna.c:440)
==7270== by 0x276C0A: idna_encode (idna.c:640)
==7270== by 0x27C655: nsurl__create_from_section (parse.c:923)
==7270== by 0x27D852: nsurl_join (parse.c:1449)
==7270== by 0x1D820D: box_extract_link (box_construct.c:3136)
==7270== by 0x1DA17C: box_a (box_construct.c:1494)
==7270== by 0x1D7A2D: box_construct_element (box_construct.c:877)
==7270== by 0x1D7A2D: convert_xml_to_box (box_construct.c:383)
==7270== by 0x26A214: monkey_schedule_run (schedule.c:165)
==7270== by 0x1383A3: monkey_run (main.c:277)
==7270== by 0x1383A3: main (main.c:408)
==7270== Uninitialised value was created by a heap allocation
==7270== at 0x483577F: malloc (vg_replace_malloc.c:299)
==7270== by 0x276BBC: idna__utf8_to_ucs4 (idna.c:245)
==7270== by 0x276BBC: idna_encode (idna.c:634)
==7270== by 0x27C655: nsurl__create_from_section (parse.c:923)
==7270== by 0x27D852: nsurl_join (parse.c:1449)
==7270== by 0x1D820D: box_extract_link (box_construct.c:3136)
==7270== by 0x1DA17C: box_a (box_construct.c:1494)
==7270== by 0x1D7A2D: box_construct_element (box_construct.c:877)
==7270== by 0x1D7A2D: convert_xml_to_box (box_construct.c:383)
==7270== by 0x26A214: monkey_schedule_run (schedule.c:165)
==7270== by 0x1383A3: monkey_run (main.c:277)
==7270== by 0x1383A3: main (main.c:408)
==7270==
==7270==
==7270== 6 errors in context 2 of 2:
==7270== Conditional jump or move depends on uninitialised value(s)
==7270== at 0x276C0A: idna__is_valid (idna.c:440)
==7270== by 0x276C0A: idna_encode (idna.c:640)
==7270== by 0x27C655: nsurl__create_from_section (parse.c:923)
==7270== by 0x27D852: nsurl_join (parse.c:1449)
==7270== by 0x1D1C72: node_is_visited (select.c:1634)
==7270== by 0x2B4555: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==7270== by 0x1D2A64: nscss_get_style (select.c:266)
==7270== by 0x1D745B: box_get_style (box_construct.c:1376)
==7270== by 0x1D745B: box_construct_element (box_construct.c:763)
==7270== by 0x1D745B: convert_xml_to_box (box_construct.c:383)
==7270== by 0x26A214: monkey_schedule_run (schedule.c:165)
==7270== by 0x1383A3: monkey_run (main.c:277)
==7270== by 0x1383A3: main (main.c:408)
==7270== Uninitialised value was created by a heap allocation
==7270== at 0x483577F: malloc (vg_replace_malloc.c:299)
==7270== by 0x276BBC: idna__utf8_to_ucs4 (idna.c:245)
==7270== by 0x276BBC: idna_encode (idna.c:634)
==7270== by 0x27C655: nsurl__create_from_section (parse.c:923)
==7270== by 0x27D852: nsurl_join (parse.c:1449)
==7270== by 0x1D1C72: node_is_visited (select.c:1634)
==7270== by 0x2B4555: css_select_style (in /home/vince/dev-netsurf/workspace/netsurf/nsmonkey)
==7270== by 0x1D2A64: nscss_get_style (select.c:266)
==7270== by 0x1D745B: box_get_style (box_construct.c:1376)
==7270== by 0x1D745B: box_construct_element (box_construct.c:763)
==7270== by 0x1D745B: convert_xml_to_box (box_construct.c:383)
==7270== by 0x26A214: monkey_schedule_run (schedule.c:165)
==7270== by 0x1383A3: monkey_run (main.c:277)
==7270== by 0x1383A3: main (main.c:408)
==7270==
--7270--
--7270-- used_suppression: 8 dl-hack4-64bit-addr-1 /usr/lib/x86_64-linux-gnu/valgrind/default.supp:1277
==7270==
==7270== ERROR SUMMARY: 8 errors from 2 contexts (suppressed: 8 from 4)
TagsNo tags attached.
Attached Files

Notes
(0001966)
Vincent Sanders   
2019-06-13 16:22   
this was caused by idna__is_valid() causing out of bounds memory access when the host label it was checking was less than four characters long

https://ria.ru/ was causing nsurl_join() between
http://%D1%80%D0%BE%D1%81%D1%81%D0%B8%D1%8F%D1%81%D0%B5%D0%B3%D0%BE%D0%B4%D0%BD%D1%8F.%D1%80%D1%84/online/
and
россиясегодня.рф

the two character unicode domain was less than four characters and the check in idna__is_valid() for -- was overrunning the source buffer
(0001998)
Vincent Sanders   
2019-07-19 08:26   
we believe this issue has been resolved in NetSurf 3.9

Issue History
2019-06-12 17:10Vincent SandersNew Issue
2019-06-13 09:26Vincent SandersStatusnew => confirmed
2019-06-13 16:22Vincent SandersStatusconfirmed => resolved
2019-06-13 16:22Vincent SandersResolutionopen => fixed
2019-06-13 16:22Vincent SandersFixed in Version => 3.9
2019-06-13 16:22Vincent SandersFixed in CI build # => 4678
2019-06-13 16:22Vincent SandersURL of problem page => https://ria.ru/
2019-06-13 16:22Vincent SandersNote Added: 0001966
2019-07-19 08:26Vincent SandersStatusresolved => closed
2019-07-19 08:26Vincent SandersNote Added: 0001998