2019-01-16 17:31 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002251NetSurf[All Projects] Generalpublic2015-03-10 23:42
ReporterJames Audubon 
Assigned ToVincent Sanders 
SeveritycrashReproducibilityalways 
StatusclosedResolutionfixed 
Product Version3.3 
Target Version3.3Fixed in Version3.3 
Summary0002251: Crash at https://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
DescriptionHave been sent this link to an invoice
Netsurf crashes complaining of a serious error and spits out a log file, attached.
Not sure if page has javascript or other nasties not compatible with Netsurf but should render something or nothing instead of crashing? Thanks.
Steps To ReproduceGo to https://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
 
TagsNo tags attached.
Fixed in CI build #2525
Reported in CI build #2509
URL of problem pagehttps://www.one.com/pay.do?ocode=WygJGHAdefDavwXK
Attached Files
  • ? file icon Log (36,435 bytes) 2015-01-07 20:32 -
    ? file icon Log (36,435 bytes) 2015-01-07 20:32 +
  • ? file icon sprite.svg (143,688 bytes) 2015-01-11 17:13

-Relationships
+Relationships

-Notes
Vincent Sanders

~0000566

Vincent Sanders (administrator)

This is actually a libsvgtiny memory corruption. I attache dteh svg that explodes. valgrind output:

$ valgrind ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738== Memcheck, a memory error detector
==3738== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==3738== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==3738== Command: ./nsgtk https://www.one.com/static/images/onecom/sprite.svg?v=1420457225767
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF399: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1b8 is 0 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738==
==3738== Invalid write of size 4
==3738== at 0x4FF3B1: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)
==3738== by 0x4B67B8: svg_convert (svg.c:115)
==3738== Address 0x1218a1bc is 4 bytes after a block of size 296 alloc'd
==3738== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==3738== by 0x4FEAF3: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4FE925: svgtiny_parse_svg (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x5017C8: svgtiny_parse (in /home/vince/dev-netsurf/workspace/netsurf/nsgtk)
==3738== by 0x4B6D54: svg_reformat (svg.c:139)
==3738== by 0x451B08: content__reformat (content.c:365)
==3738== by 0x475E83: browser_window_callback (browser.c:1328)
==3738== by 0x45C718: hlcache_content_callback (hlcache.c:191)
==3738== by 0x451882: content_broadcast (content.c:702)
==3738== by 0x451D4B: content_set_ready (content.c:310)


and so on
Vincent Sanders

~0000569

Vincent Sanders (administrator)

Fixed issue in libsvgtiny which should mean the latest CI build will not crash like this any more (though I do not think it will render properly yet)
Vincent Sanders

~0000749

Vincent Sanders (administrator)

Confirmed fixed in 3.3 release
+Notes

-Issue History
Date Modified Username Field Change
2015-01-07 20:32 James Audubon New Issue
2015-01-07 20:32 James Audubon File Added: Log
2015-01-11 17:13 Vincent Sanders File Added: sprite.svg
2015-01-11 17:15 Vincent Sanders Note Added: 0000566
2015-01-11 17:15 Vincent Sanders Status new => confirmed
2015-01-11 17:15 Vincent Sanders Description Updated View Revisions
2015-01-11 17:15 Vincent Sanders Steps to Reproduce Updated View Revisions
2015-01-15 13:28 Vincent Sanders Fixed in CI build # => 2525
2015-01-15 13:28 Vincent Sanders Note Added: 0000569
2015-01-15 13:28 Vincent Sanders Assigned To => Vincent Sanders
2015-01-15 13:28 Vincent Sanders Status confirmed => resolved
2015-01-15 13:28 Vincent Sanders Resolution open => fixed
2015-01-15 13:28 Vincent Sanders Product Version => 3.3
2015-01-15 13:28 Vincent Sanders Fixed in Version => 3.3
2015-01-16 09:03 Vincent Sanders Target Version => 3.3
2015-03-10 23:42 Vincent Sanders Note Added: 0000749
2015-03-10 23:42 Vincent Sanders Status resolved => closed
+Issue History