View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0002329 | NetSurf | [All Projects] General | public | 2015-07-02 21:47 | 2016-02-16 14:35 | ||||
Reporter | Harriet Bazley | ||||||||
Assigned To | Vincent Sanders | ||||||||
Severity | crash | Reproducibility | always | ||||||
Status | closed | Resolution | fixed | ||||||
Platform | ARM | OS | RISC OS | OS Version | 5.19 | ||||
Product Version | 3.0 | ||||||||
Target Version | 3.4 | Fixed in Version | 3.4 | ||||||
Summary | 0002329: Segmentation fault on viewing web page | ||||||||
Description | Attempting to view a recommended link on Bridget McKenna's writing blog - whether by double-clicking on the URL in a StrongED window, by typing the URL into NetSurf's "Open URL" dialogue box, or by navigating to the blog via the link on the website's main page - causes NetSurf to crash. | ||||||||
Steps To Reproduce | Visit http://www.bridgetmckenna.com/blog/self-editing-for-everyone-part-1-the-most-hated-writing-advice-ever | ||||||||
Additional Information | Behaviour first since in version 2774; still present in v2820. Disc cache set to 0 Mb. I have a couple of log files, but there seems to be very little information in them - has logging been disabled in the latest version of Netsurf? | ||||||||
Tags | No tags attached. | ||||||||
Fixed in CI build # | 2821 | ||||||||
Reported in CI build # | 2774 | ||||||||
URL of problem page | http://www.bridgetmckenna.com/blog/self-editing-for-everyone-part-1-the-most-hated-writing-advice-ever | ||||||||
Attached Files |
|
Notes | |
Vincent Sanders (administrator) 2015-07-03 21:52 |
happens everywhere, not just risc os #0 0x000000000055d8f6 in lwc__calculate_hash () #1 0x000000000055da05 in lwc__intern () 0000002 0x0000000000513cd5 in nsurl__create_from_section ( url_s=url_s@entry=0x14a1080 "http://The%20Old%20Organ%20Trail%20http://www.amazon.com/gp/product/B007B57MCQ/ref=as_li_tf_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B007B57MCQ&linkCode=as2&tag=brimck0f-20", section=32, section@entry=URL_HOST, pegs=pegs@entry=0x7fffffffba20, pos_norm=0x14a12a9 "", pos_norm@entry=0x14a1290 "the old organ trail http:", url=url@entry=0x7fffffffb9d0) at utils/nsurl.c:976 #3 0x0000000000514bf5 in nsurl_join (base=base@entry=0xd9d800, rel=0x14a1080 "http://The%20Old%20Organ%20Trail%20http://www.amazon.com/gp/product/B007B57MCQ/ref=as_li_tf_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B007B57MCQ&linkCode=as2&tag=brimck0f-20", joined=joined@entry=0x7fffffffbb88) at utils/nsurl.c:1856 #4 0x00000000004df975 in box_extract_link (rel=<optimized out>, base=base@entry=0xd9d800, result=result@entry=0x7fffffffbb88) at render/box_construct.c:3042 #5 0x00000000004e1871 in box_a (n=0x12e9360, content=0x10bab00, box=0x14a1d90, convert_children=<optimized out>) at render/box_construct.c:1479 #6 0x00000000004de823 in box_construct_element ( convert_children=0x7fffffffbc03, ctx=0x1382070) at render/box_construct.c:871 #7 convert_xml_to_box (ctx=0x1382070) at render/box_construct.c:383 #8 0x00000000004c9272 in schedule_run () at gtk/schedule.c:132 #9 0x00000000004bad31 in nsgtk_main () at gtk/gui.c:451 #10 0x00000000004531f1 in main (argc=2, argv=0x7fffffffe168) at gtk/gui.c:1161 |
Vincent Sanders (administrator) 2015-07-04 08:51 |
Additional debugging shows that in utils/nsurl.c the function nsurl__create_from_section() gets called four times (on that page) and the issue occurs the fourth time through. The section dealing with non-redundant ports (starting line 973) the lwc_intern_string() is called with a pointer to a null byte and a length of -8 the lwn_intern takes a size_t (unsigned) so is getting passed a very large length which causes the segfault. this is supposed to be protected by the flag setting on line 969 if (length - (colon - pegs->at + skip) <= 0) { /* No space for a port after the colon */ flags |= NSURL_F_NO_PORT; } however the arithmetic is all *unsigned* so the condition never matches (gdb) p length - (colon - pegs->at + skip) $9 = 18446744073709551608 replacing the check with: if (length <= (colon - pegs->at + skip)) fixes the check and stops the attempt to use a negative length |
Vincent Sanders (administrator) 2016-02-16 14:35 |
Confirmed fixed in 3.4 release |
Issue History | |||
Date Modified | Username | Field | Change |
---|---|---|---|
2015-07-02 21:47 | Harriet Bazley | New Issue | |
2015-07-02 21:47 | Harriet Bazley | File Added: Log.zip | |
2015-07-03 21:52 | Vincent Sanders | Note Added: 0000866 | |
2015-07-03 21:52 | Vincent Sanders | Status | new => confirmed |
2015-07-03 21:52 | Vincent Sanders | Category | RISC OS-specific => General |
2015-07-03 21:52 | Vincent Sanders | Product Version | => 3.4 |
2015-07-03 21:52 | Vincent Sanders | Steps to Reproduce Updated | View Revisions |
2015-07-03 21:52 | Vincent Sanders | Additional Information Updated | View Revisions |
2015-07-04 08:51 | Vincent Sanders | Note Added: 0000867 | |
2015-07-04 09:01 | Vincent Sanders | Fixed in CI build # | => 2821 |
2015-07-04 09:01 | Vincent Sanders | Reported in CI build # | 2820 => 2774 |
2015-07-04 09:01 | Vincent Sanders | Assigned To | => Vincent Sanders |
2015-07-04 09:01 | Vincent Sanders | Status | confirmed => resolved |
2015-07-04 09:01 | Vincent Sanders | Product Version | 3.4 => 3.0 |
2015-07-04 09:01 | Vincent Sanders | Fixed in Version | => 3.4 |
2015-07-04 09:01 | Vincent Sanders | Target Version | => 3.4 |
2015-10-31 21:46 | Vincent Sanders | Resolution | open => fixed |
2016-02-16 14:35 | Vincent Sanders | Note Added: 0001270 | |
2016-02-16 14:35 | Vincent Sanders | Status | resolved => closed |