Bug#514544: elinks: dumps core when trying to access http://www.debian.org/security/dsa-long

2009-03-25 Thread Y Giridhar Appaji Nag 
# Bcc: control
tags 514544 + fixed-upstream
thanks

On 09/02/09 03:19 +0200, Kalle Olavi Niemitalo said ...
 and avoids the crash.  However, I'm really unfamiliar with the
 DOM code, so I cannot be sure this is the right solution.
 
 --- src/document/dom/renderer.c.~1~   2008-06-30 01:40:02.0 +0300
 +++ src/document/dom/renderer.c   2009-02-09 02:57:09.0 +0200
 @@ -947,9 +947,7 @@ dom_rss_pop_document(struct dom_stack *s
   done_dom_string(renderer-text);
   mem_free_if(renderer-items);
  
 - done_dom_node(root);
 -
 - return DOM_CODE_OK;
 + return DOM_CODE_FREE_NODE;
  }

http://repo.or.cz/w/elinks.git?a=commitdiff;h=f77748299b4f412c08a360407bbaef8a5a7e4965

-- 
Y Giridhar Appaji Nag | http://people.debian.org/~appaji/


signature.asc
Description: Digital signature

Bug#514544: elinks: dumps core when trying to access http://www.debian.org/security/dsa-long

2009-02-08 Thread Aioanei Rares 
Package: elinks
Version: 0.12~pre2.dfsg0-1
Severity: normal



-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-rc2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages elinks depends on:
ii  elinks-data0.12~pre2.dfsg0-1 advanced text-mode WWW browser - d
ii  libbz2-1.0 1.0.5-1   high-quality block-sorting file co
ii  libc6  2.7-18GNU C Library: Shared libraries
ii  libexpat1  2.0.1-4   XML parsing C library - runtime li
ii  libfsplib0 0.9-1 FSP v2 protocol stack library - sh
ii  libgnutls262.4.2-6   the GNU TLS library - runtime libr
ii  libgpm21.20.4-3.1General Purpose Mouse - shared lib
ii  libgssapi2-heimdal 1.2.dfsg.1-2.1Heimdal Kerberos - GSSAPI support 
ii  libheimntlm0-heimdal   1.2.dfsg.1-2.1Heimdal Kerberos - NTLM support li
ii  libidn11   1.10-3GNU libidn library, implementation
ii  libkrb5-25-heimdal 1.2.dfsg.1-2.1Heimdal Kerberos - libraries
ii  liblua50   5.0.3-3   Main interpreter library for the L
ii  liblualib505.0.3-3   Extension library for the Lua 5.0 
ii  libmozjs1d 1.9.0.6-1 The Mozilla SpiderMonkey JavaScrip
ii  libperl5.105.10.0-19 Shared Perl library
ii  libruby1.8 1.8.7.72-3Libraries necessary to run Ruby 1.
ii  zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

elinks recommends no packages.

Versions of packages elinks suggests:
pn  elinks-docnone (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#514544: elinks: dumps core when trying to access http://www.debian.org/security/dsa-long

2009-02-08 Thread Kalle Olavi Niemitalo 
We discussed this on #ELinks with Miciah Dashiel Butler Masters.
The bug is triggered by configure --enable-html-highlight, which
also enables the RSS renderer.  configure --enable-debug can hide
the bug, at least in some circumstances.  Here is a relevant part
of a valgrind log:

==25631== Invalid read of size 2
==25631==at 0x80B2438: call_dom_stack_callbacks (stack.c:145)
==25631==by 0x80B2822: pop_dom_node (stack.c:222)
==25631==by 0x8092E3A: render_dom_document (renderer.c:1078)
==25631==by 0x808AC6E: render_encoded_document (renderer.c:262)
==25631==by 0x808AEFE: render_document (renderer.c:345)
==25631==by 0x808B420: render_document_frames (renderer.c:472)
==25631==by 0x810D697: draw_formatted (draw.c:350)
==25631==by 0x80F57FE: display_timer (session.c:454)
==25631==by 0x80F8CF8: loading_callback (task.c:538)
==25631==by 0x80D105C: notify_connection_callbacks (connection.c:428)
==25631==by 0x80D0D93: set_connection_state (connection.c:367)
==25631==by 0x80D08CB: set_connection_socket_state (connection.c:234)
==25631==  Address 0x4db1c78 is 0 bytes inside a block of size 32 free'd
==25631==at 0x4021B8A: free (vg_replace_malloc.c:323)
==25631==by 0x8106C53: mem_free (memory.c:96)
==25631==by 0x80AF858: done_dom_node_data (node.c:430)
==25631==by 0x80AF944: done_dom_node (node.c:461)
==25631==by 0x8092A55: dom_rss_pop_document (renderer.c:950)
==25631==by 0x80B2486: call_dom_stack_callbacks (stack.c:151)
==25631==by 0x80B2822: pop_dom_node (stack.c:222)
==25631==by 0x8092E3A: render_dom_document (renderer.c:1078)
==25631==by 0x808AC6E: render_encoded_document (renderer.c:262)
==25631==by 0x808AEFE: render_document (renderer.c:345)
==25631==by 0x808B420: render_document_frames (renderer.c:472)
==25631==by 0x810D697: draw_formatted (draw.c:350)

The struct dom_node was freed and then used during the same call
to call_dom_stack_callbacks.  There were three contexts using the
DOM stack.  The first one didn't have any callbacks.  The second
one was dom_rss_renderer_context_info, whose dom_rss_pop_document
callback freed the document node.  The third context was
dom_config_normalizer_context, whose dom_normalize_node_end
callback wouldn't have done anything to DOM_NODE_DOCUMENT.
When call_dom_stack_callbacks was examining the third context,
it read state-node-type, whose value was invalid because
state-node had already been freed.  This then caused
call_dom_stack_callbacks to call an invalid function pointer.

The following patch attempts to fix this bug by keeping the node
in memory until call_dom_stack_callbacks has called the callbacks
of all contexts.  This change removes the valgrind error report
and avoids the crash.  However, I'm really unfamiliar with the
DOM code, so I cannot be sure this is the right solution.

--- src/document/dom/renderer.c.~1~ 2008-06-30 01:40:02.0 +0300
+++ src/document/dom/renderer.c 2009-02-09 02:57:09.0 +0200
@@ -947,9 +947,7 @@ dom_rss_pop_document(struct dom_stack *s
done_dom_string(renderer-text);
mem_free_if(renderer-items);
 
-   done_dom_node(root);
-
-   return DOM_CODE_OK;
+   return DOM_CODE_FREE_NODE;
 }
 
 


pgpJDf2EaMY10.pgp
Description: PGP signature