URL: <http://savannah.gnu.org/bugs/?37596>
Summary: NSXMLParser.m randomly crashes on parsing strings Project: GNUstep Submitted by: buzzdee Submitted on: Thu 18 Oct 2012 04:47:29 PM GMT Category: Base/Foundation Severity: 4 - Important Item Group: Bug Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: -[NSXMLParser _parseEntity:] gives a not NULL terminated string to sscanf which may crash, depending on the garbage on the stack, due to the fact that the string is not NULL terminated. At least seen on OpenBSD. Its the similar problem we've seen with simplewebkits NSXMLParser. Attached patch uses the same solution Nikolaus proposed for simplewebkits NSXMLParser. Here is a backtrace from MPDCon: (gdb) bt #0 0x0aba5c33 in strlen ( str=0x8376568f "039;t notice\nDon't even sound I'm coming\nSoon you'll have a .. Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"...) at /usr/src/lib/libc/string/strlen.c:43 #1 0x0ab332c1 in sscanf ( str=0x8376568f "039;t notice\nDon't even sound I'm coming\nSoon you'll have a .. Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"..., fmt=0x203e0481 "x%x;") at /usr/src/lib/libc/stdio/sscanf.c:59 #2 0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4, _cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388 #3 0x0057aa24 in -[NSXMLParser parse] (self=0x8224e8a4, _cmd=0x3c011bb8) at NSXMLParser.m:1679 #4 0x1c012d90 in -[LyricsInspector updateLyrics] (self=0x87e7b984, _cmd=0x3c011b30) at LyricsInspector.m:240 #5 0x1c012878 in -[LyricsInspector songChanged:] (self=0x87e7b984, _cmd=0x3c011b20, aNotif=0x857b3504) at LyricsInspector.m:210 #6 0x004af9ee in -[NSNotificationCenter _postAndRelease:] (self=0x81febaa4, _cmd=0x2042a828, notification=0x857b3504) at NSNotificationCenter.m #7 0x004aefeb in -[NSNotificationCenter postNotification:] (self=0x81febaa4, _cmd=0x3c003128, notification=0x857b3504) at NSNotificationCenter. #8 0x1c003f8a in -[AppController(Private) _updateView:] (self=0x8a143484, _cmd=0x3c003078, sender=0x87e88d04) at AppController.m:585 #9 0x004c33a8 in -[NSObject performSelector:withObject:] (self=0x8a143484, _cmd=0x2044d648, aSelector=0x3c003078, anObject=0x87e88d04) at NSObj #10 0x00538786 in -[NSTimer fire] (self=0x87e88d04, _cmd=0x20440bf8) at NSTimer.m:258 #11 0x00507d69 in -[NSRunLoop limitDateForMode:] (self=0x84592da4, _cmd=0x20440c58, mode=0x20440cb0) at NSRunLoop.m:1016 #12 0x0050427e in -[NSRunLoop runMode:beforeDate:] (self=0x84592da4, _cmd=0x200f1720, mode=0x20440cb0, date=0x86793224) at NSRunLoop.m:1255 #13 0x0029d341 in -[GSDisplayServer(EventOps) getEventMatchingMask:beforeDate:inMode:dequeue:] (self=0x8bb17c04, _cmd=0x2a9b21d8, mask=429496729 at GSDisplayServer.m:999 #14 0x0a9d084e in __objc_xgcontextevent_linking () from /usr/local/lib/GNUstep/Bundles/libgnustep-back-022.bundle/./libgnustep-back-022 #15 0x000e7dcf in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x86687084, _cmd=0x2003e0e8, mask=4294967295, expiratio at NSApplication.m:2173 #16 0x000e5afb in -[NSApplication run] (self=0x86687084, _cmd=0x20033ee8) at NSApplication.m:1559 #17 0x000c4733 in NSApplicationMain (argc=1, argv=0xcfbccffc) at Functions.m:95 #18 0x1c013cf4 in gnustep_base_user_main (argc=1, argv=0xcfbccffc) at main.m:30 #19 0x004f341e in main (argc=1, argv=Cannot access memory at address 0x4 ) at NSProcessInfo.m:984 #20 0x1c003037 in ___start (argc=1, argv=0xcfbccffc, envp=0xcfbcd004, cleanup=0, obj=0x0, ps_strings=0xcfbfdff0) at /usr/src/lib/csu/i386/crt0.c #21 0x1c002fb2 in _start () at /usr/src/lib/csu/i386/crt0.c:77 (gdb) frame 2 #2 0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4, _cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388 1388 if (sscanf((char *)ep+1, "x%x;", &val)) Current language: auto; currently minimal _______________________________________________________ File Attachments: ------------------------------------------------------- Date: Thu 18 Oct 2012 04:47:29 PM GMT Name: patch-Source_NSXMLParser_m Size: 918B By: buzzdee <http://savannah.gnu.org/bugs/download.php?file_id=26787> _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?37596> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Bug-gnustep mailing list Bug-gnustep@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnustep