bug-gnustep
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #37596] NSXMLParser.m randomly crashes on parsing strings

From: Sebastian Reitenbach
Subject: [bug #37596] NSXMLParser.m randomly crashes on parsing strings
Date: Thu, 18 Oct 2012 16:47:30 +0000
User-agent: Mozilla/5.0 (X11; OpenBSD i386; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 
URL:
  <http://savannah.gnu.org/bugs/?37596>

                 Summary: NSXMLParser.m randomly crashes on parsing strings
                 Project: GNUstep
            Submitted by: buzzdee
            Submitted on: Thu 18 Oct 2012 04:47:29 PM GMT
                Category: Base/Foundation
                Severity: 4 - Important
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

-[NSXMLParser _parseEntity:] gives a not NULL terminated string to sscanf
which may crash, depending on the garbage on the stack, due to the fact that
the string is not NULL terminated. At least seen on OpenBSD.

Its the similar problem we've seen with simplewebkits NSXMLParser. Attached
patch uses the same solution Nikolaus proposed for simplewebkits NSXMLParser.

Here is a backtrace from MPDCon:

(gdb) bt
#0  0x0aba5c33 in strlen (
    str=0x8376568f "039;t notice\nDon&#039;t even sound I&#039;m coming\nSoon
you&#039;ll have a ..
Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"...) at
/usr/src/lib/libc/string/strlen.c:43
#1  0x0ab332c1 in sscanf (
    str=0x8376568f "039;t notice\nDon&#039;t even sound I&#039;m coming\nSoon
you&#039;ll have a ..
Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"...,
fmt=0x203e0481 "x%x;") at /usr/src/lib/libc/stdio/sscanf.c:59
#2  0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4,
_cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388
#3  0x0057aa24 in -[NSXMLParser parse] (self=0x8224e8a4, _cmd=0x3c011bb8) at
NSXMLParser.m:1679
#4  0x1c012d90 in -[LyricsInspector updateLyrics] (self=0x87e7b984,
_cmd=0x3c011b30) at LyricsInspector.m:240
#5  0x1c012878 in -[LyricsInspector songChanged:] (self=0x87e7b984,
_cmd=0x3c011b20, aNotif=0x857b3504) at LyricsInspector.m:210
#6  0x004af9ee in -[NSNotificationCenter _postAndRelease:] (self=0x81febaa4,
_cmd=0x2042a828, notification=0x857b3504) at NSNotificationCenter.m
#7  0x004aefeb in -[NSNotificationCenter postNotification:] (self=0x81febaa4,
_cmd=0x3c003128, notification=0x857b3504) at NSNotificationCenter.
#8  0x1c003f8a in -[AppController(Private) _updateView:] (self=0x8a143484,
_cmd=0x3c003078, sender=0x87e88d04) at AppController.m:585
#9  0x004c33a8 in -[NSObject performSelector:withObject:] (self=0x8a143484,
_cmd=0x2044d648, aSelector=0x3c003078, anObject=0x87e88d04) at NSObj
#10 0x00538786 in -[NSTimer fire] (self=0x87e88d04, _cmd=0x20440bf8) at
NSTimer.m:258
#11 0x00507d69 in -[NSRunLoop limitDateForMode:] (self=0x84592da4,
_cmd=0x20440c58, mode=0x20440cb0) at NSRunLoop.m:1016
#12 0x0050427e in -[NSRunLoop runMode:beforeDate:] (self=0x84592da4,
_cmd=0x200f1720, mode=0x20440cb0, date=0x86793224) at NSRunLoop.m:1255
#13 0x0029d341 in -[GSDisplayServer(EventOps)
getEventMatchingMask:beforeDate:inMode:dequeue:] (self=0x8bb17c04,
_cmd=0x2a9b21d8, mask=429496729
    at GSDisplayServer.m:999
#14 0x0a9d084e in __objc_xgcontextevent_linking () from
/usr/local/lib/GNUstep/Bundles/libgnustep-back-022.bundle/./libgnustep-back-022
#15 0x000e7dcf in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x86687084,
_cmd=0x2003e0e8, mask=4294967295, expiratio
    at NSApplication.m:2173
#16 0x000e5afb in -[NSApplication run] (self=0x86687084, _cmd=0x20033ee8) at
NSApplication.m:1559
#17 0x000c4733 in NSApplicationMain (argc=1, argv=0xcfbccffc) at
Functions.m:95
#18 0x1c013cf4 in gnustep_base_user_main (argc=1, argv=0xcfbccffc) at
main.m:30
#19 0x004f341e in main (argc=1, argv=Cannot access memory at address 0x4
) at NSProcessInfo.m:984
#20 0x1c003037 in ___start (argc=1, argv=0xcfbccffc, envp=0xcfbcd004,
cleanup=0, obj=0x0, ps_strings=0xcfbfdff0) at /usr/src/lib/csu/i386/crt0.c
#21 0x1c002fb2 in _start () at /usr/src/lib/csu/i386/crt0.c:77
(gdb) frame 2
#2  0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4,
_cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388
1388          if (sscanf((char *)ep+1, "x%x;", &val))
Current language:  auto; currently minimal




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Thu 18 Oct 2012 04:47:29 PM GMT  Name: patch-Source_NSXMLParser_m  Size:
918B   By: buzzdee

<http://savannah.gnu.org/bugs/download.php?file_id=26787>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?37596>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]