2025-04-05 16:09 BST
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002854LibCSSLibCSSpublic2023-03-31 01:552023-09-17 19:53
Reporterphoebos 
Assigned ToMichael Drake 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
Platformx86_64OSLinuxOS Version5.15.104
Summary0002854: Netsurf segmentation fault in libcss
DescriptionViewing the page https://stackoverflow.com/questions/45981545/why-does-noreturn-function-return
causes a segfault.
Steps To Reproducerun "netsurf-gtk3 https://stackoverflow.com/questions/45981545/why-does-noreturn-function-return" for libcss and netsurf at latest git commit.
Additional Informationbacktrace:

#0 css__select_revert_property_to_origin
    (select_state=0x7fffffffa2a0, prop_state=0x7fffffffb418, origin=CSS_ORIGIN_USER, pseudo=CSS_PSEUDO_ELEMENT_NONE, property=CSS_PROP_OUTLINE_COLOR)
    at src/select/select.c:1168
#1 0x0000555555793bd4 in css__select_revert_property
    (select_state=select_state@entry=0x7fffffffa2a0, prop_state=prop_state@entry=0x7fffffffb418, pseudo=pseudo@entry=CSS_PSEUDO_ELEMENT_NONE, property=property@entry=CSS_PROP_OUTLINE_COLOR) at src/select/select.c:1193
0000002 0x00005555557961d1 in css_select_style
    (ctx=<optimized out>, node=node@entry=0x7ffff4334980, unit_ctx=unit_ctx@entry=0x7ffff4525cb0, media=media@entry=0x7ffff4525c50, inline_style=inline_style@entry=0x0, handler=handler@entry=0x555555a01d80 <selection_handler>, pw=0x7fffffffbf50, result=0x7fffffffbf00) at src/select/select.c:1406
#3 0x00005555556939ad in nscss_get_style
    (ctx=ctx@entry=0x7fffffffbf50, n=n@entry=0x7ffff4334980, media=media@entry=0x7ffff4525c50, unit_len_ctx=unit_len_ctx@entry=0x7ffff4525cb0, inline_style=inline_style@entry=0x0) at content/handlers/css/select.c:264
#4 0x0000555555693e66 in box_get_style
    (c=0x7ffff4525a40, parent_style=0x7ffff3d70ab0, root_style=0x7ffff42d7b10, n=0x7ffff4334980) at content/handlers/html/box_construct.c:286
#5 0x000055555569450c in box_construct_element
    (ctx=ctx@entry=0x7ffff3608fe0, convert_children=convert_children@entry=0x7fffffffc07b) at content/handlers/html/box_construct.c:495
#6 0x000055555569572f in convert_xml_to_box (ctx=0x7ffff3608fe0)
    at content/handlers/html/box_construct.c:1240
#7 0x0000555555742c5d in schedule_run () at frontends/gtk/schedule.c:148
#8 0x0000555555738908 in nsgtk_main () at frontends/gtk/gui.c:1072
#9 0x00005555555e721c in main (argc=<optimized out>, argv=<optimized out>)
    at frontends/gtk/gui.c:1231
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #
Attached Files
  • ? file icon log (47,949 bytes) 2023-03-31 01:55 +

-Relationships

-Notes
phoebos

~0002412

phoebos (reporter)

2023-03-31 10:57

 The null dereference in src/select/select.c:1168 causes this segfault, and has been detected by your static analysis CI system for at least 4 months:

https://ci.netsurf-browser.org/jenkins/job/scan-build-libcss/361/clangScanBuildBugs/
phoebos

~0002413

phoebos (reporter)

2023-03-31 17:30

 ASAN output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==179658==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000026e8 (pc 0x55f51d0c51f3 bp 0x000000000000 sp 0x7ffe57f77c60 T0)
==179658==The signal is caused by a READ memory access.
    #0 0x55f51d0c51f3 in css__select_revert_property_to_origin /tmp/21803/build/libcss/src/select/select.c:1168:40
    #1 0x55f51cbe66a2 in __sanitizer::BufferedStackTrace::UnwindImpl(unsigned long, unsigned long, void*, bool, unsigned int) Scrt1.c
    0000002 0x55f51cc12e5b in __sanitizer::ReportDeadlySignal(__sanitizer::SignalContext const&, unsigned int, void (*)(__sanitizer::SignalContext const&, void const*, __sanitizer::BufferedStackTrace*), void const*) Scrt1.c
    #3 0x55f51cbe0d53 in __asan::ScopedInErrorReport::~ScopedInErrorReport() Scrt1.c
    #4 0x55f51cbe109d in __asan::ReportDeadlySignal(__sanitizer::SignalContext const&) Scrt1.c
    #5 0x55f51cbdf62d in __asan::AsanOnDeadlySignal(int, void*, void*) Scrt1.c
    #6 0x7f1aacb3e733 in _setjmp /tmp/852136/build/musl/src/signal/x86_64/restore.s:1

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/21803/build/libcss/src/select/select.c:1168:40 in css__select_revert_property_to_origin
==179658==ABORTING
Michael Orlitzky

~0002416

Michael Orlitzky (reporter)

2023-08-12 20:09

 The "uses_revert" flag is not being set to true on stylesheets that obviously do contain a revert. That leads to uses_revert being false in the context, which leads to the "revert" pointer not being initialized. Then when we do finally encounter the revert, we try to dereference that (still NULL) pointer.

Here's a much simpler test case:

<html>
  <head>
    <title>hello</title>
    <style>
      body {
        outline: revert;
      }
    </style>
  </head>
  <body>
    


      hi
    


  </body>
</html>
Michael Orlitzky

~0002417

Michael Orlitzky (reporter)

2023-08-12 20:10

 ^ There's a missing paragraph tag that got absorbed by mantis, but you get the idea.
Michael Orlitzky

~0002418

Michael Orlitzky (reporter)

2023-08-13 01:27

 Here's a patch to fix the issue. It was a problem with most shorthand properties (like "outline").
phoebos

~0002419

phoebos (reporter)

2023-08-13 02:47

 Thanks for your good work, the patch works for me too.
phoebos

~0002420

phoebos (reporter)

2023-08-13 02:54

 (In fact I now have a new segfault accessing the original page; it seems to be in libnsbmp, so I'll open a new issue).
Michael Drake

~0002426

Michael Drake (administrator)

2023-09-17 19:53

 Thanks both, for the report and the fix! Applied.

-Issue History
Date Modified Username Field Change
2023-03-31 01:55 phoebos New Issue
2023-03-31 01:55 phoebos File Added: log
2023-03-31 10:57 phoebos Note Added: 0002412
2023-03-31 17:30 phoebos Note Added: 0002413
2023-08-12 20:09 Michael Orlitzky Note Added: 0002416
2023-08-12 20:10 Michael Orlitzky Note Added: 0002417
2023-08-13 01:27 Michael Orlitzky File Added: 0001-src-stylesheet.h-set-uses_revert-flag-for-shorthand-.patch
2023-08-13 01:27 Michael Orlitzky Note Added: 0002418
2023-08-13 02:47 phoebos Note Added: 0002419
2023-08-13 02:54 phoebos Note Added: 0002420
2023-09-17 19:53 Michael Drake Assigned To => Michael Drake
2023-09-17 19:53 Michael Drake Status new => resolved
2023-09-17 19:53 Michael Drake Resolution open => fixed
2023-09-17 19:53 Michael Drake Description Updated View Revisions
2023-09-17 19:53 Michael Drake Additional Information Updated View Revisions
2023-09-17 19:53 Michael Drake Note Added: 0002426