[Bug-wget] Segmentation fault

Fri, 16 Apr 2010 09:46:50 -0700

If I send a HTTP response with certain data (corrupted headers) back to wget, I can make it segfault. 

gdb backtrace is attached.

    Jonas

(gdb) run -O /dev/null http://localhost:8080/
Starting program: /home/jonas/src/wget-1.12/src/wget -O /dev/null 
http://localhost:8080/
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb7cddd03 in strlen () from /lib/libc.so.6
(gdb) bt full
#0  0xb7cddd03 in strlen () from /lib/libc.so.6
No symbol table info available.
#1  0x0807e36c in xstrdup (string=0x0) at xmalloc.c:117
No locals.
#2  0x080620e8 in gethttp (u=0x80cbac8, hs=0xbffff468, dt=0xbffff678, 
proxy=0x0, iri=0x80aa918) at http.c:1832
        req = 0x80c3c90
        type = 0x343a3533 <Address 0x343a3533 out of bounds>
        user = 0x0
        passwd = 0x0
        proxyauth = 0x0
        statcode = -1
        write_error = 112
        contlen = -1
        contrange = 0
        conn = 0x80cbac8
        fp = 0x80757b1
        sock = 6
        flags = 0
        auth_finished = false
        basic_auth_finished = false
        ntlm_seen = false
        using_ssl = false
        head_only = false
        head = 0x80c5788 "HTTP_Accept", ' ' <repeats 20 times>, "= 
*/*\nREQUEST_METHOD", ' ' <repeats 17 times>, "= GET\nHTTP_Host", ' ' <repeats 
22 times>, "= localhost:8080\nPATH_INFO", ' ' <repeats 22 times>, "= 
/\nHTTP_User-Agent", ' ' <repeats 16 times>, "= Wget/1.12 "...
        resp = 0x80c50e0
        hdrval = 
"\267\340\370\377\267\000\000\000\000w\362\377\277\370\361\377\277\005\233\004\b",
 '\000' <repeats 12 times>"\260, 
\361\377\277X\361\377\277\060\000\000\000\370\361\377\277\203\210ҷ\364\317ڷ$\027ͷ|\343Ʒ\240\022\336\267\060\000\000\000\377\377\377\377\304\357\377\267\005\233\004\b\001\000\000\000\220\361\377\277\266\374\376\267\230\372\377\267\360\033\336\267\001\000\000\000\001\000\000\000\000\000\000\000\001\000\000\000\344\037ͷ\034\311\t\b\000\000\000\000|\343Ʒ\000\367\377\277\364\317ڷ`\325ڷ\250\361\377\277\260b̷`\325ڷ\000\367\377\277\340\365\377\277\000\000\000\000\330\361\377\277E\177\006\b`\325ڷ\330\361\377\277\060l̷`\325ڷ\370\361\377\277\060\000\000\000\300\246÷`\325ڷ\340\365\377\277\000\000\000\000\230\362\377\277\026\177\006\b\370\361\377\277`\325ڷ\021L\t\b\350\362\377\277\226\323ط\270\343ڷ--2"
        message = 0x0
        keep_alive = false
        inhibit_keep_alive = false
        post_data_size = 0
        host_lookup_failed = false
        __PRETTY_FUNCTION__ = "gethttp"
#3  0x0806406c in http_loop (u=0x80cbac8, newloc=0xbffff558, 
local_file=0xbffff550, referer=0x0, dt=0xbffff678, proxy=0x0, 
    iri=0x80aa918) at http.c:2581
        count = 1
        got_head = false
        time_came_from_head = false
        got_name = true
        tms = 0x80a96a0 "2010-04-15 23:35:44"
        tmrate = 0x7468a908 <Address 0x7468a908 out of bounds>
        err = FTPOK
        ret = TRYLIMEXC
        tmr = -1
        hstat = {len = 0, contlen = -1, restval = 0, res = -1, rderrmsg = 0x0, 
newloc = 0x0, remote_time = 0x0, error = 0x0, 
          statcode = 0, message = 0x0, rd_size = 0, dltime = 0, referer = 0x0, 
local_file = 0x80c3c08 "/dev/null", 
          existence_checked = false, timestamp_checked = false, orig_file_name 
= 0x0, orig_file_size = 0, orig_file_tstamp = 0}
        st = {st_dev = 17179869186, __pad1 = 48, __st_ino = 3083698062, st_mode 
= 4, st_nlink = 23, st_uid = 3084440470, 
          st_gid = 3084575672, st_rdev = 80, __pad2 = 80, st_size = 
42949672970, st_blksize = 4, 
          st_blocks = -5198592612231020496, st_atim = {tv_sec = 4, tv_nsec = 
23}, st_mtim = {tv_sec = -1210526826, 
            tv_nsec = -1210391624}, st_ctim = {tv_sec = -1210527102, tv_nsec = 
-1210526352}, st_ino = 137438953552}
        send_head_first = false
        file_name = 0x80c3c18 "/etc/localtime"
        __PRETTY_FUNCTION__ = "http_loop"
#4  0x0806fc03 in retrieve_url (orig_parsed=0x80cbac8, origurl=0x80aa8b0 
"http://localhost:8080/";, file=0xbffff680, 
    newloc=0xbffff67c, refurl=0x0, dt=0xbffff678, recursive=false, 
iri=0x80aa918, register_status=true) at retr.c:692
        result = NOCONERROR
        url = 0x80c3b38 "http://localhost:8080/";
        location_changed = 10
        iri_fallbacked = false
        dummy = 134916279
        mynewloc = 0x0
        proxy = 0x0
        u = 0x80cbac8
        proxy_url = 0x0
        up_error_code = 134916279
        local_file = 0x80c3b58 "/dev/null"
        redirection_count = 0
        post_data_suspended = false
        saved_post_data = 0x0
        saved_post_file_name = 0x0
        __PRETTY_FUNCTION__ = "retrieve_url"
#5  0x08069c6f in main (argc=4, argv=0xbffff7a4) at main.c:1294
        dt = 0
        url_err = -1073744108
        filename = 0x0
        redirected_URL = 0x0
        iri = 0x80aa918
        url_parsed = 0x80cbac8
        url = 0xbffff5e0
        t = 0xbffff5e0
        i = 1
        ret = -1
        longindex = -1
        nurl = 1
        status = 31
        append_to_log = false

Reply via email to