MantisBT - NetSurf | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0002873 | NetSurf | [All Projects] General | public | 2024-05-26 20:48 | 2024-05-27 08:38 |
| Reporter | Felix Albrigtsen | ||||
|---|---|---|---|---|---|
| Assigned To | kinnison | ||||
| Priority | normal | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Framebuffer | OS | Linux | OS Version | Debian 12 |
| Product Version | 3.11 | ||||
| Target Version | Fixed in Version | 3.12 | |||
| Fixed in CI build # | 6734 | ||||
| Reported in CI build # | |||||
| URL of problem page | |||||
| Summary | 0002873: Double free in box_normalise_table | ||||
| Description | Double free() caused by integer overflow when parsing a table in netsurf/content/handlers/html/box_normalise.c. In box_normalise_table, col_info.spans is freed. If col_info.spans is already freed by box_normalise_table_row_group, this can cause a double free. This can happen once `box_normalise_table_row_group` has called `box_normalise_table_row` which then calls `calculate_table_row`. If cell_end_col is equal to 0xffffffff inside of calculate_table_row, the if-check on line 113 in netsurf/blob/master/content/handlers/html/box_normalise.c will evaluate to true, but passing `(cell_end_col + 1)` as the size argument to realloc, causing it to overflow to 0. Calling realloc with size 0 is equivalent to a free, resulting in a double free triggered by the HTML file below. The "magic constant" 4294967295 is (2^32)-1, filling an entire 32 bit integer. | ||||
| Steps To Reproduce | 1. Install / Build netsurf. Tested with framebuffer and gtk3 on Linux, for example the default netsurf packages on debian. 2. Create the file "test.html" containing an otherwise valid HTML file with `<table><th colspan="4294967295">` in its body. 3. Run `$ netsurf-fb -f ram file://$(pwd)/test.html` === Example HTML file: <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <table><th colspan="4294967295"> </body> </html> | ||||
| Additional Information | Tested on 64-bit Debian and NixOS, on NetSurf 3.10 and 3.11. Consequences on linux with glibc: Double free is caught by libc, killing the process with SIGABRT. I have not tested the actual consequences on any other system. | ||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Notes | |||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
|---|---|---|---|---|---|
| 2024-05-26 20:48 | Felix Albrigtsen | New Issue | |||
| 2024-05-27 08:22 | Vincent Sanders | Note Added: 0002451 | |||
| 2024-05-27 08:23 | kinnison | Assigned To | => kinnison | ||
| 2024-05-27 08:23 | kinnison | Status | new => assigned | ||
| 2024-05-27 08:37 | kinnison | Status | assigned => confirmed | ||
| 2024-05-27 08:37 | kinnison | Note Added: 0002452 | |||
| 2024-05-27 08:38 | kinnison | Status | confirmed => resolved | ||
| 2024-05-27 08:38 | kinnison | Resolution | open => fixed | ||
| 2024-05-27 08:38 | kinnison | Fixed in Version | => 3.12 | ||
| 2024-05-27 08:38 | kinnison | Fixed in CI build # | => 6734 | ||
| 2024-05-27 08:38 | kinnison | Note Added: 0002453 | |||