2024-03-19 10:56 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002668NetSurfDevelopmentpublic2019-07-19 08:27
ReporterVincent Sanders 
Assigned ToVincent Sanders 
SeverityminorReproducibilityalways 
StatusclosedResolutionfixed 
Product Version3.9 
Target Version3.9Fixed in Version3.9 
Summary0002668: out of bounds read
Descriptionvisit ign.com and get your very own oob access
Additional Information==22739== Invalid read of size 1
==22739== at 0x29C1EF: llcache_fetch_parse_cache_control (llcache.c:615)
==22739== by 0x29C1EF: llcache_fetch_header_cache_control (llcache.c:708)
==22739== by 0x29C1EF: llcache_fetch_process_header (llcache.c:810)
==22739== by 0x29D676: llcache_fetch_callback (llcache.c:2795)
==22739== by 0x21E64B: fetch_curl_header (curl.c:1393)
==22739== by 0x570829C: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x5706733: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x571FAE7: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x572AA65: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x572B6C0: curl_multi_perform (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x21FF63: fetch_curl_poll (curl.c:1219)
==22739== by 0x21C8DC: fetch_fdset (fetch.c:404)
==22739== by 0x2CD849: nsgtk_main (gui.c:404)
==22739== by 0x191492: main (gui.c:1206)
==22739== Address 0x1696132b is 0 bytes after a block of size 11 alloc'd
==22739== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==22739== by 0x9564409: strndup (strndup.c:43)
==22739== by 0x29BCA3: llcache_fetch_split_header (llcache.c:563)
==22739== by 0x29BCA3: llcache_fetch_process_header (llcache.c:797)
==22739== by 0x29D676: llcache_fetch_callback (llcache.c:2795)
==22739== by 0x21E64B: fetch_curl_header (curl.c:1393)
==22739== by 0x570829C: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x5706733: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x571FAE7: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x572AA65: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x572B6C0: curl_multi_perform (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.4.0)
==22739== by 0x21FF63: fetch_curl_poll (curl.c:1219)
==22739== by 0x21C8DC: fetch_fdset (fetch.c:404)
TagsNo tags attached.
Fixed in CI build #4669
Reported in CI build #
URL of problem pagehttps://ign.com/
Attached Files

-Relationships
+Relationships

-Notes
Vincent Sanders

~0001956

Vincent Sanders (administrator)

this was caused by HTTP Cache-Control headers with syntax errors in their max-age stanza.

Any stanza missing an = would cause the parser to skip the null instead of the = it assumed it had found

The ign site had some js files with headers like

$ curl -I https://apps.ign.com/video-player/release/6.4.4/default.d730d0c6.js
HTTP/1.1 200 OK
x-amz-id-2: QfISQVIgmXMngH++A8//RhnV9J40jB3h3TeT3IclQja93dt9WSgQAmHBUGJopnfEsIJdsxfPsq0=
x-amz-request-id: 279AA2EE607F084B
Last-Modified: Wed, 29 May 2019 23:43:41 GMT
x-amz-version-id: cmxp2ovMdBYsW8ygV.SV5J_9X7sm9_2j
ETag: "dbe1d57019f29b46b183d3a21b3297b2"
Content-Type: application/javascript
Server: AmazonS3
Access-Control-Allow-Origin: *
Content-Length: 1259479
Accept-Ranges: bytes
Date: Mon, 10 Jun 2019 19:56:04 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Served-By: cache-lcy19268-LCY
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1560196564.082379,VS0,VE171
Vary: Accept-Encoding
Cache-Control: max-age:30


bug fixed in
http://source.netsurf-browser.org/netsurf.git/commit/?id=e598dcd139d8221f828d542ccf6f03466a5aecdc
Vincent Sanders

~0002002

Vincent Sanders (administrator)

we believe this issue has been resolved in NetSurf 3.9
+Notes

-Issue History
Date Modified Username Field Change
2019-06-07 16:07 Vincent Sanders New Issue
2019-06-09 14:08 Vincent Sanders Assigned To => Vincent Sanders
2019-06-09 14:08 Vincent Sanders Status new => confirmed
2019-06-10 20:28 Vincent Sanders Status confirmed => resolved
2019-06-10 20:28 Vincent Sanders Resolution open => fixed
2019-06-10 20:28 Vincent Sanders Fixed in Version => 3.9
2019-06-10 20:28 Vincent Sanders Fixed in CI build # => 4669
2019-06-10 20:28 Vincent Sanders Note Added: 0001956
2019-07-19 08:27 Vincent Sanders Status resolved => closed
2019-07-19 08:27 Vincent Sanders Note Added: 0002002
+Issue History