Re: [Bug-wget] [Bulk] wget/Chrome bug?

[Tim Rühsen]

Am Donnerstag, 9. April 2015, 15:32:47 schrieb Gisle Vanem:
> Gisle Vanem wrote:
> > I hope it's not only the Windows version of Wget/Gnulib that is
> > vulnerable....
> 
> Seems '-DENABLE_DEBUG' and '-DDEBUG_MALLOC' have to be in effect to
> trigger this crash. My previous attempt was with MSVC v18 (release mode).
> Now I've built a MingW 3.21 version with the same CFLAGS and I'm getting
> the almost the same crash report from gdb as I did from WinDbg.
> 
> I'll let some of you Wget experts comment and/or verify the cause of
> this. gdb output attached and which has this:
>   warning: Heap block at 009CCE70 modified at 009CCE84 past requested size
> of 8
> 
> Does this give any clue?

Yes, thanks Gisle.

It comes out with -DDEBUG_MALLOC which enables cleanup() code:

#ifdef DEBUG_MALLOC
...
free_vec (opt.accepts);
...
#endif


To show on Linux:
$ valgrind src/wget -Ahtml http://example.com

==15287== Invalid read of size 8
==15287==    at 0x42F4C9: free_vec (utils.c:1286)
==15287==    by 0x421B04: cleanup (init.c:1797)
==15287==    by 0x4062FE: main (main.c:1771)
==15287==  Address 0x95cfa00 is 0 bytes after a block of size 16 alloc'd
==15287==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==15287==    by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)
==15287==    by 0x439685: xrealloc (xmalloc.c:61)
==15287==    by 0x42E6D3: sepstring (utils.c:268)
==15287==    by 0x4210A7: cmd_vector (init.c:1079)
==15287==    by 0x42196B: setoptval (init.c:876)
==15287==    by 0x405255: main (main.c:1153)

I didn't have the time to track it further down, not sure if I have tomorrow.
So, anybody feel free to fix the issue.

To compile and run Wget:
export CFLAGS="... -DDEBUG_MALLOC"
./configure
valgrind src/wget -Ahtml http://example.com

Regards, Tim

signature.asc
Description: This is a digitally signed message part.