lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] Lynx segfault (null deref) at HTML_start_element()


From: Aki Helin
Subject: [Lynx-dev] Lynx segfault (null deref) at HTML_start_element()
Date: Wed, 30 Nov 2011 11:59:53 +0200
User-agent: Heirloom mailx 12.4 7/29/08

Hi again, 

A page containing "<button <input type=hidden </html>" causes the
crash below on 64-bit Linux using lynx-cur and the one in Debian:

Program received signal SIGSEGV, Segmentation fault.
0x000000000048118e in HTML_start_element (me=0x8f3e90, element_number=21, 
present=0x8f9a9d "", value=0x8f9ac8, tag_charset=0,             
    include=0x8f9c58) at HTML.c:4481
4481                    for (i = 0; I.value[i]; i++) {
(gdb) x/i $rip
=> 0x48118e <HTML_start_element+55057>: movzbl (%rax),%eax
(gdb) p $rax
$1 = 0
(gdb) bt
#0  0x000000000048118e in HTML_start_element (me=0x8f3e90, element_number=21, 
present=0x8f9a9d "", value=0x8f9ac8, tag_charset=0, 
    include=0x8f9c58) at HTML.c:4481
#1  0x00000000004d54f9 in start_element (context=0x8f9a40) at 
../../../WWW/Library/Implementation/SGML.c:1357
#2  0x00000000004db0a6 in SGML_character (context=0x8f9a40, c_in=62) at 
../../../WWW/Library/Implementation/SGML.c:3550
#3  0x00000000004dd963 in SGML_write (context=0x8f9a40, str=0x7ad440 "<button 
<input type=hidden </html>\n", l=35)
    at ../../../WWW/Library/Implementation/SGML.c:4381
#4  0x00000000004eb095 in HTFileCopy (fp=0x8f3c30, sink=0x8f9a40) at 
../../../WWW/Library/Implementation/HTFormat.c:948
#5  0x00000000004eb57a in HTParseFile (rep_in=0x844700, format_out=0x8462e0, 
anchor=0x8f3580, fp=0x8f3c30, sink=0x0)
    at ../../../WWW/Library/Implementation/HTFormat.c:1481
#6  0x00000000004c7220 in decompressAndParse (anchor=0x8f3580, 
format_out=0x8462e0, sink=0x0, nodename=0x8f3ae0 "localhost", 
    filename=0x8ec440 "/home/aki/cases/lynx-2.html", myEncoding=0x83f470, 
format=0x844700, statusp=0x7fffffffd304)
    at ../../../WWW/Library/Implementation/HTFile.c:2605
#7  0x00000000004c803b in HTLoadFile (addr=0x8f3740 
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580, 
format_out=0x8462e0, 
    sink=0x0) at ../../../WWW/Library/Implementation/HTFile.c:3004
#8  0x00000000004be6a0 in HTLoad (addr=0x8ec350 
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580, 
format_out=0x8462e0, 
    sink=0x0) at ../../../WWW/Library/Implementation/HTAccess.c:701
#9  0x00000000004beb9b in HTLoadDocument (full_address=0x8ec350 
"file://localhost/home/aki/cases/lynx-2.html", anchor=0x8f3580, 
    format_out=0x8462e0, sink=0x0) at 
../../../WWW/Library/Implementation/HTAccess.c:935
#10 0x00000000004bf220 in HTLoadAbsolute (docaddr=0x7fffffffd540) at 
../../../WWW/Library/Implementation/HTAccess.c:1117
#11 0x0000000000433b8b in getfile (doc=0x7a09a0, target=0x7fffffffd6dc) at 
LYGetFile.c:808
#12 0x0000000000443fc6 in mainloop () at LYMainLoop.c:5610
#13 0x00000000004368f8 in main (argc=2, argv=0x7fffffffe0c8) at LYMain.c:2226
(gdb) list
4476                     * value is greater than a line width for the current 
style. 
4477                     * Also, if chars somehow ended up longer than the 
length of
4478                     * the actual value (shouldn't have), we'll continue 
padding
4479                     * with nbsp up to the length of chars.  - FM
4480                     */
4481                    for (i = 0; I.value[i]; i++) {
4482                        HTML_put_character(me,
4483                                           (char) ((I.value[i] == ' ')
4484                                                   ? HT_NON_BREAK_SPACE
4485                                                   : I.value[i]));
(gdb) p I.value
$2 = 0x0

I don't know where the null check would belong, or if a null should even 
be a valid value here. Using I.value && I.value[i] as the test is enough to 
avoid this crash, but there are likely also other affected places.


-- 
Aki Helin / OUSPG



reply via email to

[Prev in Thread] Current Thread [Next in Thread]