Package: tk-html3 Version: 3.0~fossil20110109-8 Severity: normal X-Debbugs-Cc: none
Dear Maintainer, I am not sure whether this is the right place, but I would like to report a bug in libTkhtml3.0.so used by hv3 browser. To reproduce it use the following steps: ``` $ echo '<style>.hello { background-color:rgb(A); }</style>' > bug.html $ hv3 bug.html Segmentation fault ``` Due to the printed Segmentation fault message, I researched the bug a bit further to establish why it happens. This is the backtrace shown once SIGSEGV occurs: ``` ► 0 0x7ffff73b4482 inputNextToken+50 1 0x7ffff73b49cb inputNextTokenIgnoreSpace+11 2 0x7ffff73b5b57 HtmlCssGetNextCommaListItem+71 3 0x7ffff73af784 tokenToProperty+1444 4 0x7ffff73b0155 HtmlCssDeclaration+421 5 0x7ffff73b4e0b parseDeclarationBlock+795 6 0x7ffff73b5510 HtmlCssRunParser+1696 7 0x7ffff73aeabd cssParse+429 ``` The function in question is `tokenToProperty` which calls the `rgbToColor` function that parses the `rgb()` css function call: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L430 The parser expects the format of the function call to be `rgb(A, B, C)` which doesn't have to be the case nowadays. A valid example may be: ``` #example { background-color: rgb(var(--color)); } ``` Because the function call is not conforming to the hv3 expected format, the `rgbToColor` function will iterate three times through its arguments searching for values separated by comma and end up dereferencing a null pointer: ``` ► 0x7ffff73af77f <tokenToProperty+1439> call HtmlCssGetNextCommaListItem@plt <HtmlCssGetNextCommaListItem@plt> rdi: 0x0 rsi: 0x55f7348b rdx: 0x7fffffffc048 ◂— 0xffffffffffffffff rcx: 0x0 ... Thread 1 "wish" received signal SIGSEGV, Segmentation fault. 0x00007ffff73b4482 in inputNextToken () from /usr/lib/Tkhtml3.0/ libTkhtml3.0.so LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────── RAX 0x0 RBX 0x0 RCX 0x0 *RDX 0x7fffffffc538 ◂— 0xffffffffffffffff *RDI 0x7fffffffc400 ◂— 0x0 *RSI 0x55fbd63f *R8 0x7ffff7c6d560 (_nl_global_locale) —▸ 0x5555555593f0 —▸ 0x555555559350 ◂— 'en_US.UTF-8' *R9 0x3 R10 0x0 *R11 0x7ffff7c164c0 (_nl_C_LC_CTYPE_tolower+512) ◂— 0x100000000 R12 0x0 *R13 0x7fffffffc400 ◂— 0x0 R14 0x0 *R15 0x55fbd63f *RBP 0x55fbd63f *RSP 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3 *RIP 0x7ffff73b4482 (inputNextToken+50) ◂— cmp byte ptr [rbx], 0x2f ──────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────── ► 0x7ffff73b4482 <inputNextToken+50> cmp byte ptr [rbx], 0x2f 0x7ffff73b4485 <inputNextToken+53> je inputNextToken+232 <inputNextToken+232> ↓ 0x7ffff73b4538 <inputNextToken+232> cmp byte ptr [rbx + 1], 0x2a 0x7ffff73b453c <inputNextToken+236> jne inputNextToken+59 <inputNextToken+59> ↓ 0x7ffff73b448b <inputNextToken+59> movzx edx, byte ptr [rbx] 0x7ffff73b448e <inputNextToken+62> cmp dl, 0x20 0x7ffff73b4491 <inputNextToken+65> jle inputNextToken+97 <inputNextToken+97> ↓ 0x7ffff73b44b1 <inputNextToken+97> cmp dl, 8 0x7ffff73b44b4 <inputNextToken+100> jg inputNextToken+398 <inputNextToken+398> ↓ 0x7ffff73b45de <inputNextToken+398> movabs rax, 0x100002600 0x7ffff73b45e8 <inputNextToken+408> bt rax, rdx ───────────────────────────────────[ STACK ]──────────────────────────────────── 00:0000│ rsp 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3 01:0008│ 0x7fffffffc368 ◂— 0x41007fffffffffff 02:0010│ 0x7fffffffc370 ◂— 0x0 03:0018│ 0x7fffffffc378 ◂— 0x0 04:0020│ 0x7fffffffc380 —▸ 0x555555f886e0 ◂— 0x3 05:0028│ 0x7fffffffc388 ◂— 0xf037dcd0ffffffff 06:0030│ 0x7fffffffc390 —▸ 0x555555b3427b ◂— 'info exists ::hv3::log_source_option]} return\n if {$::hv3::log_source_option} {\n append O(myHtmlDocument) $data\n }\n ' 07:0038│ 0x7fffffffc398 —▸ 0x7fffffffc138 —▸ 0x7fffffffc1b8 —▸ 0x7fffffffc1d8 ◂— 0x0 ... ``` In the code I have identified the following calls causing the crash: - `rgbToColor` fetches the next comma list item by calling `HtmlCssGetNextCommaListItem`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L444 ``` aToken[ii].z = HtmlCssGetNextCommaListItem(z, zEnd - z, &aToken[ii].n); ``` - `HtmlCssGetNextCommaListItem` calls `inputNextTokenIgnoreSpace` which calls `inputNextToken`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L1186 ``` inputNextTokenIgnoreSpace(&sInput); ``` - `inputNextToken` references the first element of NULL pointer `z[0]`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L208 ``` switch( z[0] ){ ``` This bug also makes hv3 browser crash on legitimate sites effectively making it unusable: ``` $ hv3 http://wordpress.com Error in -requestcmd https://fonts-api.wp.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|: Illegal characters in URL path Segmentation fault ``` If my analysis is correct, the fix for this issue would be to change the current rgb function parsing implementation and add support for other types of function arguments. Although it seems to me that this browser is unmaintained for several years now, I see it is available on debian repos so I decided to report the bug. -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tk-html3 depends on: ii libc6 2.36-9+deb12u3 ii libx11-6 2:1.8.4-2+deb12u2 ii tk 8.6.13 tk-html3 recommends no packages. tk-html3 suggests no packages. -- no debconf information