2019-06-25 03:26 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002329NetSurf[All Projects] Generalpublic2016-02-16 14:35
ReporterHarriet Bazley 
Assigned ToVincent Sanders 
SeveritycrashReproducibilityalways 
StatusclosedResolutionfixed 
PlatformARMOSRISC OSOS Version5.19
Product Version3.0 
Target Version3.4Fixed in Version3.4 
Summary0002329: Segmentation fault on viewing web page
DescriptionAttempting to view a recommended link on Bridget McKenna's writing blog - whether by double-clicking on the URL in a StrongED window, by typing the URL into NetSurf's "Open URL" dialogue box, or by navigating to the blog via the link on the website's main page - causes NetSurf to crash.
Steps To ReproduceVisit http://www.bridgetmckenna.com/blog/self-editing-for-everyone-part-1-the-most-hated-writing-advice-ever
 
Additional InformationBehaviour first since in version 2774; still present in v2820. Disc cache set to 0 Mb.

I have a couple of log files, but there seems to be very little information in them - has logging been disabled in the latest version of Netsurf?
TagsNo tags attached.
Fixed in CI build #2821
Reported in CI build #2774
URL of problem pagehttp://www.bridgetmckenna.com/blog/self-editing-for-everyone-part-1-the-most-hated-writing-advice-ever
Attached Files
  • zip file icon Log.zip (4,152 bytes) 2015-07-02 22:47

-Relationships
+Relationships

-Notes
Vincent Sanders

~0000866

Vincent Sanders (administrator)

happens everywhere, not just risc os

#0 0x000000000055d8f6 in lwc__calculate_hash ()
#1 0x000000000055da05 in lwc__intern ()
0000002 0x0000000000513cd5 in nsurl__create_from_section (
    url_s=url_s@entry=0x14a1080 "http://The%20Old%20Organ%20Trail%20http://www.amazon.com/gp/product/B007B57MCQ/ref=as_li_tf_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B007B57MCQ&linkCode=as2&tag=brimck0f-20", section=32,
    section@entry=URL_HOST, pegs=pegs@entry=0x7fffffffba20,
    pos_norm=0x14a12a9 "",
    pos_norm@entry=0x14a1290 "the old organ trail http:",
    url=url@entry=0x7fffffffb9d0) at utils/nsurl.c:976
#3 0x0000000000514bf5 in nsurl_join (base=base@entry=0xd9d800,
    rel=0x14a1080 "http://The%20Old%20Organ%20Trail%20http://www.amazon.com/gp/product/B007B57MCQ/ref=as_li_tf_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B007B57MCQ&linkCode=as2&tag=brimck0f-20", joined=joined@entry=0x7fffffffbb88)
    at utils/nsurl.c:1856
#4 0x00000000004df975 in box_extract_link (rel=<optimized out>,
    base=base@entry=0xd9d800, result=result@entry=0x7fffffffbb88)
    at render/box_construct.c:3042
#5 0x00000000004e1871 in box_a (n=0x12e9360, content=0x10bab00,
    box=0x14a1d90, convert_children=<optimized out>)
    at render/box_construct.c:1479
#6 0x00000000004de823 in box_construct_element (
    convert_children=0x7fffffffbc03, ctx=0x1382070)
    at render/box_construct.c:871
#7 convert_xml_to_box (ctx=0x1382070) at render/box_construct.c:383
#8 0x00000000004c9272 in schedule_run () at gtk/schedule.c:132
#9 0x00000000004bad31 in nsgtk_main () at gtk/gui.c:451
#10 0x00000000004531f1 in main (argc=2, argv=0x7fffffffe168) at gtk/gui.c:1161
Vincent Sanders

~0000867

Vincent Sanders (administrator)

Additional debugging shows that in utils/nsurl.c the function nsurl__create_from_section() gets called four times (on that page) and the issue occurs the fourth time through.

The section dealing with non-redundant ports (starting line 973) the lwc_intern_string() is called with a pointer to a null byte and a length of -8
the lwn_intern takes a size_t (unsigned) so is getting passed a very large length which causes the segfault.

this is supposed to be protected by the flag setting on line 969

 if (length - (colon - pegs->at + skip) <= 0) {
   /* No space for a port after the colon */
   flags |= NSURL_F_NO_PORT;
 }

however the arithmetic is all *unsigned* so the condition never matches

(gdb) p length - (colon - pegs->at + skip)
$9 = 18446744073709551608

replacing the check with:
 if (length <= (colon - pegs->at + skip))

fixes the check and stops the attempt to use a negative length
Vincent Sanders

~0001270

Vincent Sanders (administrator)

Confirmed fixed in 3.4 release
+Notes

-Issue History
Date Modified Username Field Change
2015-07-02 22:47 Harriet Bazley New Issue
2015-07-02 22:47 Harriet Bazley File Added: Log.zip
2015-07-03 22:52 Vincent Sanders Note Added: 0000866
2015-07-03 22:52 Vincent Sanders Status new => confirmed
2015-07-03 22:52 Vincent Sanders Category RISC OS-specific => General
2015-07-03 22:52 Vincent Sanders Product Version => 3.4
2015-07-03 22:52 Vincent Sanders Steps to Reproduce Updated View Revisions
2015-07-03 22:52 Vincent Sanders Additional Information Updated View Revisions
2015-07-04 09:51 Vincent Sanders Note Added: 0000867
2015-07-04 10:01 Vincent Sanders Fixed in CI build # => 2821
2015-07-04 10:01 Vincent Sanders Reported in CI build # 2820 => 2774
2015-07-04 10:01 Vincent Sanders Assigned To => Vincent Sanders
2015-07-04 10:01 Vincent Sanders Status confirmed => resolved
2015-07-04 10:01 Vincent Sanders Product Version 3.4 => 3.0
2015-07-04 10:01 Vincent Sanders Fixed in Version => 3.4
2015-07-04 10:01 Vincent Sanders Target Version => 3.4
2015-10-31 21:46 Vincent Sanders Resolution open => fixed
2016-02-16 14:35 Vincent Sanders Note Added: 0001270
2016-02-16 14:35 Vincent Sanders Status resolved => closed
+Issue History