[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] Lynx segfault (null deref) at HTML_start_element()
|
From: |
Aki Helin |
|
Subject: |
[Lynx-dev] Lynx segfault (null deref) at HTML_start_element() |
|
Date: |
Wed, 30 Nov 2011 11:59:53 +0200 |
|
User-agent: |
Heirloom mailx 12.4 7/29/08 |
Hi again,
A page containing "<button <input type=hidden </html>" causes the
crash below on 64-bit Linux using lynx-cur and the one in Debian:
Program received signal SIGSEGV, Segmentation fault.
0x000000000048118e in HTML_start_element (me=0x8f3e90, element_number=21,
present=0x8f9a9d "", value=0x8f9ac8, tag_charset=0,
include=0x8f9c58) at HTML.c:4481
4481 for (i = 0; I.value[i]; i++) {
(gdb) x/i $rip
=> 0x48118e <HTML_start_element+55057>: movzbl (%rax),%eax
(gdb) p $rax
$1 = 0
(gdb) bt
#0 0x000000000048118e in HTML_start_element (me=0x8f3e90, element_number=21,
present=0x8f9a9d "", value=0x8f9ac8, tag_charset=0,
include=0x8f9c58) at HTML.c:4481
#1 0x00000000004d54f9 in start_element (context=0x8f9a40) at
../../../WWW/Library/Implementation/SGML.c:1357
#2 0x00000000004db0a6 in SGML_character (context=0x8f9a40, c_in=62) at
../../../WWW/Library/Implementation/SGML.c:3550
#3 0x00000000004dd963 in SGML_write (context=0x8f9a40, str=0x7ad440 "<button
<input type=hidden </html>\n", l=35)
at ../../../WWW/Library/Implementation/SGML.c:4381
#4 0x00000000004eb095 in HTFileCopy (fp=0x8f3c30, sink=0x8f9a40) at
../../../WWW/Library/Implementation/HTFormat.c:948
#5 0x00000000004eb57a in HTParseFile (rep_in=0x844700, format_out=0x8462e0,
anchor=0x8f3580, fp=0x8f3c30, sink=0x0)
at ../../../WWW/Library/Implementation/HTFormat.c:1481
#6 0x00000000004c7220 in decompressAndParse (anchor=0x8f3580,
format_out=0x8462e0, sink=0x0, nodename=0x8f3ae0 "localhost",
filename=0x8ec440 "/home/aki/cases/lynx-2.html", myEncoding=0x83f470,
format=0x844700, statusp=0x7fffffffd304)
at ../../../WWW/Library/Implementation/HTFile.c:2605
#7 0x00000000004c803b in HTLoadFile (addr=0x8f3740
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580,
format_out=0x8462e0,
sink=0x0) at ../../../WWW/Library/Implementation/HTFile.c:3004
#8 0x00000000004be6a0 in HTLoad (addr=0x8ec350
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580,
format_out=0x8462e0,
sink=0x0) at ../../../WWW/Library/Implementation/HTAccess.c:701
#9 0x00000000004beb9b in HTLoadDocument (full_address=0x8ec350
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580,
format_out=0x8462e0, sink=0x0) at
../../../WWW/Library/Implementation/HTAccess.c:935
#10 0x00000000004bf220 in HTLoadAbsolute (docaddr=0x7fffffffd540) at
../../../WWW/Library/Implementation/HTAccess.c:1117
#11 0x0000000000433b8b in getfile (doc=0x7a09a0, target=0x7fffffffd6dc) at
LYGetFile.c:808
#12 0x0000000000443fc6 in mainloop () at LYMainLoop.c:5610
#13 0x00000000004368f8 in main (argc=2, argv=0x7fffffffe0c8) at LYMain.c:2226
(gdb) list
4476 * value is greater than a line width for the current
style.
4477 * Also, if chars somehow ended up longer than the
length of
4478 * the actual value (shouldn't have), we'll continue
padding
4479 * with nbsp up to the length of chars. - FM
4480 */
4481 for (i = 0; I.value[i]; i++) {
4482 HTML_put_character(me,
4483 (char) ((I.value[i] == ' ')
4484 ? HT_NON_BREAK_SPACE
4485 : I.value[i]));
(gdb) p I.value
$2 = 0x0
I don't know where the null check would belong, or if a null should even
be a valid value here. Using I.value && I.value[i] as the test is enough to
avoid this crash, but there are likely also other affected places.
--
Aki Helin / OUSPG
- [Lynx-dev] Lynx segfault (null deref) at HTML_start_element(),
Aki Helin <=