[bug #62040] [troff] double-free crash provoked by HTML man(7) output

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #62040] [troff] double-free crash provoked by HTML man(7) output

From:	G. Branden Robinson
Subject:	[bug #62040] [troff] double-free crash provoked by HTML man(7) output
Date:	Sat, 12 Feb 2022 03:04:31 -0500 (EST)

URL:
  <https://savannah.gnu.org/bugs/?62040>

                 Summary: [troff] double-free crash provoked by HTML man(7)
output
                 Project: GNU troff
            Submitted by: gbranden
            Submitted on: Sat 12 Feb 2022 08:04:29 AM UTC
                Category: Core
                Severity: 4 - Important
              Item Group: Crash/Unresponsive
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None

    _______________________________________________________

Details:

Problem exists in groff Git HEAD but not groff 1.22.4.  However, (speculating)
this problem may have been masked in the past by groff's use of its own
allocator.


$ cat EXPERIMENTS/tag-list-in-html.man 
.TH foo 1 2022-02-12 "groff test suite"
.TP
List
.RS
.TP
.B LOOOOOONG_ITEM
.TQ
.B LOOOOONGISH_ITEM
.TQ
.B SHORT
.TQ
.B ANOTHER_LONG_ONE
.RE
$ ./build/test-groff -man -Thtml EXPERIMENTS/tag-list-in-html.man >| tag.html
free(): double free detected in tcache 2
groff: error: troff: Aborted (core dumped)
$ gdb ./build/troff ./core
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build/troff...done.
[New LWP 45485]
Core was generated by `troff -b -ww -man -dwww-image-template=grohtml-45478-
-Thtml'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
##(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fb5285be535 in __GI_abort () at abort.c:79
#2  0x00007fb528615508 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7fb52872028d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fb52861bc1a in malloc_printerr (str=str@entry=0x7fb528721f58
"free(): double free detected in tcache 2") at malloc.c:5341
#4  0x00007fb52861d6fd in _int_free (av=0x7fb528757c40 <main_arena>,
p=0x55ca61849700, have_lock=<optimized out>) at malloc.c:4193
#5  0x000055ca5f8b1c8c in sfree (ptr=0x55ca61849710 "P$ra\312U") at
../src/libs/libgroff/string.cpp:47
#6  0x000055ca5f8b1ffe in string::~string (this=0x55ca61720c98,
__in_chrg=<optimized out>) at ../src/libs/libgroff/string.cpp:127
#7  0x000055ca5f88e51e in string_value::~string_value (this=0x55ca61720c98,
__in_chrg=<optimized out>) at ../src/roff/troff/mtsm.cpp:139
#8  0x000055ca5f88eb7f in statem::~statem (this=0x55ca61720c40,
__in_chrg=<optimized out>) at ../src/roff/troff/mtsm.cpp:193
#9  0x000055ca5f88fac7 in stack::~stack (this=0x55ca61713890,
__in_chrg=<optimized out>) at ../src/roff/troff/mtsm.cpp:349
#10 0x000055ca5f88fbb8 in mtsm::~mtsm (this=0x55ca616d8a80,
__in_chrg=<optimized out>) at ../src/roff/troff/mtsm.cpp:364
#11 0x000055ca5f894a62 in output_file::~output_file (this=0x55ca616d8a70,
__in_chrg=<optimized out>) at ../src/roff/troff/node.cpp:1631
#12 0x000055ca5f894ec2 in real_output_file::~real_output_file
(this=0x55ca616d8a70, __in_chrg=<optimized out>) at
../src/roff/troff/node.cpp:1667
#13 0x000055ca5f894725 in troff_output_file::~troff_output_file
(this=0x55ca616d8a70, __in_chrg=<optimized out>)
    at ../src/roff/troff/node.cpp:1586
#14 0x000055ca5f894740 in troff_output_file::~troff_output_file
(this=0x55ca616d8a70, __in_chrg=<optimized out>)
    at ../src/roff/troff/node.cpp:1589
#15 0x000055ca5f85f1fa in cleanup_and_exit (exit_code=0) at
../src/roff/troff/div.cpp:566
#16 0x000055ca5f85f281 in top_level_diversion::begin_page
(this=0x55ca61671b60, n=...) at ../src/roff/troff/div.cpp:581
#17 0x000055ca5f85ed21 in top_level_diversion::space (this=0x55ca61671b60,
n=..., forced=1) at ../src/roff/troff/div.cpp:475
#18 0x000055ca5f877f6e in exit_troff () at ../src/roff/troff/input.cpp:2587
#19 0x000055ca5f887919 in main (argc=6, argv=0x7ffdfd993208) at
../src/roff/troff/input.cpp:8229
##(gdb) quit





    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?62040>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #62040] [troff] double-free crash provoked by HTML man(7) output, G. Branden Robinson <=
- [bug #62040] [troff] double-free crash provoked by HTML man(7) output, G. Branden Robinson, 2022/02/12
  - [bug #62040] [troff] double-free crash provoked by HTML man(7) output, Bjarni Ingi Gislason, 2022/02/13

Prev by Date: [bug #62039] [me] loses track of `@b` internal macro in HTML output
Next by Date: [bug #62040] [troff] double-free crash provoked by HTML man(7) output
Previous by thread: [bug #62039] [me] loses track of `@b` internal macro in HTML output
Next by thread: [bug #62040] [troff] double-free crash provoked by HTML man(7) output
Index(es):
- Date
- Thread