Hi Darshit, Patch works perfectly.
To reproduce the problem you can do the following: docker run --rm -ti fedora:23 /bin/bash yum -y install wget stty cols 40 wget http://www.gnu.org/ I've pasted some output from the above commands below. I guess if you just run this on any machine with wget 1.17.1 with stty cols set to 40 you'd see the same behaviour. Thanks, Lauchlin docker run --rm -ti fedora:23 /bin/bash [root@6e2b3bf32633 /]# yum -y install wget Yum command has been deprecated, redirecting to '/usr/bin/dnf -y install wget'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate && dnf-2 migrate' Fedora 23 - x86_64 - Updates 2.6 MB/s | 19 MB 00:07 Fedora 23 - x86_64 5.4 MB/s | 43 MB 00:07 Last metadata expiration check performed 0:00:19 ago on Tue Feb 23 03:31:49 2016. Dependencies resolved. ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: libicu x86_64 54.1-5.fc23 fedora 8.4 M libpsl x86_64 0.7.0-5.fc23 fedora 52 k wget x86_64 1.17.1-1.fc23 updates 640 k Transaction Summary ============================================================================================================================================ Install 3 Packages Total download size: 9.0 M Installed size: 32 M Downloading Packages: (1/3): wget-1.17.1-1.fc23.x86_64.rpm 548 kB/s | 640 kB 00:01 (2/3): libpsl-0.7.0-5.fc23.x86_64.rpm 27 kB/s | 52 kB 00:01 (3/3): libicu-54.1-5.fc23.x86_64.rpm 1.8 MB/s | 8.4 MB 00:04 -------------------------------------------------------------------------------------------------------------------------------------------- Total 1.1 MB/s | 9.0 MB 00:08 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : libicu-54.1-5.fc23.x86_64 1/3 Installing : libpsl-0.7.0-5.fc23.x86_64 2/3 Installing : wget-1.17.1-1.fc23.x86_64 3/3 Verifying : wget-1.17.1-1.fc23.x86_64 1/3 Verifying : libpsl-0.7.0-5.fc23.x86_64 2/3 Verifying : libicu-54.1-5.fc23.x86_64 3/3 Installed: libicu.x86_64 54.1-5.fc23 libpsl.x86_64 0.7.0-5.fc23 wget.x86_64 1.17.1-1.fc23 Complete! [root@6e2b3bf32633 /]# stty cols 40 nu.org/e2b3bf32633 /]# wget http://www.g --2016-02-23 03:32:58-- http://www.gnu.org/ Resolving www.gnu.org (www.gnu.org)... 208.118.235.148, 2001:4830:134:3::a Connecting to www.gnu.org (www.gnu.org)|208.118.235.148|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: 'index.html' index.html 16.55K 21.1KB/s Segmentation fault (core dumped) [root@6e2b3bf32633 /]# exit On Tue, 23 Feb 2016 at 01:10 Darshit Shah <[email protected]> wrote: > I've attached a small patch to this mail. Kindly test it it out if > possible and > let us know if it works. > > Also, it would be nice if you could provide a way for us to replicate the > issue, so that we can understand the specific condition causing it. > > On 02/22, Lauchlin Wilkinson wrote: > >Hi, > > > > > >recently I've come across a bug where wget is segfaulting when it reaches > a > >condition in process.c line 1167. Namely it seems that somehow padding is > >being being set to a negative value which is then being used in memset and > >thus causing the segfault. It is a bit tricky to reproduce the problem as > >I can only seem to trigger the crash when wget is getting called via > >ssh from a shell script as part of a packer.io provisioner step. I'm > >guessing it has something to do with the way the ssh session is setting > the > >pty options to do with width and height of the terminal. Even if the > >settings are odd, I'm thinking that wget still should be able to handle > the > >situation gracefully and not segfault. > > > > > >Would it be a good idea at line 1167 of progress.c to add some validation > >to ensure padding is never set to a negative value before memset() is > >called? > > > > > >wget version and a dump from valgrind attached. > > > > > >- Lauchlin > > > > > >########################################################## > > > > > >wget --version > >GNU Wget 1.17.1 built on linux-gnu. > > > >+digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm > >+opie +psl +ssl/openssl > > > >Wgetrc: > >/etc/wgetrc (system) > >Locale: > >/usr/share/locale > >Compile: > >gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" > >-DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -DHAVE_LIBSSL > >-DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > >-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic > >Link: > >gcc -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall > >-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > >--param=ssp-buffer-size=4 -m64 -mtune=generic -luuid -lssl -lcrypto > >-lz -lpsl -lidn ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a > > > >Copyright (C) 2015 Free Software Foundation, Inc. > >License GPLv3+: GNU GPL version 3 or later > ><http://www.gnu.org/licenses/gpl.html>. > >This is free software: you are free to change and redistribute it. > >There is NO WARRANTY, to the extent permitted by law. > > > >Originally written by Hrvoje Niksic <[email protected]>. > >Please send bug reports and questions to <[email protected]>. > > > >########################################################## > > > > > >==1528== Memcheck, a memory error detector > >==1528== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. > >==1528== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright > info > >==1528== Command: wget -c -O index.html https://www.property.com.au/ > >==1528== > >--2016-02-22 05:30:52-- https://www.property.com.au/ > >Resolving www.property.com.au (www.property.com.au)... 104.114.168.114 > >Connecting to www.property.com.au (www.property.com.au > )|104.114.168.114|:443... > >connected. > >HTTP request sent, awaiting response... 301 Moved Permanently > >Location: /buy [following] > >--2016-02-22 05:30:54-- https://www.property.com.au/buy > >Reusing existing connection to www.property.com.au:443. > >HTTP request sent, awaiting response... 200 OK > >Length: unspecified [text/html] > >Saving to: ‘index.html’ > > > >index.html 0 --.-KB/s ==1528== Invalid write of > size 8 > >==1528== at 0x4C2EE57: memset (in > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > >==1528== by 0x42627A: memset (string3.h:84) > >==1528== by 0x42627A: create_image (progress.c:1167) > >==1528== by 0x42662A: bar_finish (progress.c:673) > >==1528== by 0x429498: fd_read_body (retr.c:429) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== by 0x41F778: gethttp (http.c:3753) > >==1528== by 0x41FC08: http_loop (http.c:3971) > >==1528== by 0x42A054: retrieve_url (retr.c:817) > >==1528== by 0x406F2B: main (main.c:1868) > >==1528== Address 0x10278090 is 0 bytes after a block of size 144 alloc'd > >==1528== at 0x4C28BCD: malloc (in > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > >==1528== by 0x43ADC8: xmalloc (xmalloc.c:41) > >==1528== by 0x4267DD: bar_create (progress.c:598) > >==1528== by 0x429319: fd_read_body (retr.c:274) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== by 0x41F778: gethttp (http.c:3753) > >==1528== by 0x41FC08: http_loop (http.c:3971) > >==1528== by 0x42A054: retrieve_url (retr.c:817) > >==1528== by 0x406F2B: main (main.c:1868) > >==1528== > >==1528== > >==1528== Process terminating with default action of signal 11 (SIGSEGV) > >==1528== Bad permissions for mapped region at address 0x10553000 > >==1528== at 0x4C2EE57: memset (in > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > >==1528== by 0x42627A: memset (string3.h:84) > >==1528== by 0x42627A: create_image (progress.c:1167) > >==1528== by 0x42662A: bar_finish (progress.c:673) > >==1528== by 0x429498: fd_read_body (retr.c:429) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== by 0x41F778: gethttp (http.c:3753) > >==1528== by 0x41FC08: http_loop (http.c:3971) > >==1528== by 0x42A054: retrieve_url (retr.c:817) > >==1528== by 0x406F2B: main (main.c:1868) > >==1528== Invalid read of size 8 > >==1528== at 0x5D69209: __gconv_release_step (gconv_db.c:211) > >==1528== by 0x5D6A0E3: __gconv_close_transform (gconv_db.c:784) > >==1528== by 0x5DF22D6: _nl_cleanup_ctype (wcsmbsload.c:267) > >==1528== by 0x5EAA112: _nl_archive_subfreeres (in /lib64/libc-2.17.so) > >==1528== by 0x5EA9E2A: free_mem (in /lib64/libc-2.17.so) > >==1528== by 0x5EAA511: __libc_freeres (in /lib64/libc-2.17.so) > >==1528== by 0x4A24684: _vgnU_freeres (in > >/usr/lib64/valgrind/vgpreload_core-amd64-linux.so) > >==1528== by 0x10278030: ??? > >==1528== by 0x42627A: memset (string3.h:84) > >==1528== by 0x42627A: create_image (progress.c:1167) > >==1528== by 0x42662A: bar_finish (progress.c:673) > >==1528== by 0x429498: fd_read_body (retr.c:429) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== Address 0x2d2d2d2d2d2d2cb8 is not stack'd, malloc'd or > (recently) > >free'd > >==1528== > >==1528== > >==1528== Process terminating with default action of signal 11 (SIGSEGV) > >==1528== General Protection Fault > >==1528== at 0x5D69209: __gconv_release_step (gconv_db.c:211) > >==1528== by 0x5D6A0E3: __gconv_close_transform (gconv_db.c:784) > >==1528== by 0x5DF22D6: _nl_cleanup_ctype (wcsmbsload.c:267) > >==1528== by 0x5EAA112: _nl_archive_subfreeres (in /lib64/libc-2.17.so) > >==1528== by 0x5EA9E2A: free_mem (in /lib64/libc-2.17.so) > >==1528== by 0x5EAA511: __libc_freeres (in /lib64/libc-2.17.so) > >==1528== by 0x4A24684: _vgnU_freeres (in > >/usr/lib64/valgrind/vgpreload_core-amd64-linux.so) > >==1528== by 0x10278030: ??? > >==1528== by 0x42627A: memset (string3.h:84) > >==1528== by 0x42627A: create_image (progress.c:1167) > >==1528== by 0x42662A: bar_finish (progress.c:673) > >==1528== by 0x429498: fd_read_body (retr.c:429) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== > >==1528== HEAP SUMMARY: > >==1528== in use at exit: 923,752 bytes in 19,829 blocks > >==1528== total heap usage: 38,638 allocs, 18,809 frees, 2,684,605 bytes > >allocated > >==1528== > >==1528== 208 bytes in 1 blocks are definitely lost in loss record 819 of > 960 > >==1528== at 0x4C28BCD: malloc (in > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > >==1528== by 0x5D7140E: __gconv_lookup_cache (gconv_cache.c:371) > >==1528== by 0x5D69E29: __gconv_find_transform (gconv_db.c:721) > >==1528== by 0x5DF2466: __wcsmbs_getfct (wcsmbsload.c:92) > >==1528== by 0x5DF2466: __wcsmbs_load_conv (wcsmbsload.c:187) > >==1528== by 0x5DE855C: get_gconv_fcts (wcsmbsload.h:75) > >==1528== by 0x5DE855C: mbrtowc (mbrtowc.c:69) > >==1528== by 0x5D7F4EB: mbtowc (mbtowc.c:64) > >==1528== by 0x425307: count_cols (progress.c:804) > >==1528== by 0x425F1B: create_image (progress.c:908) > >==1528== by 0x4267FB: bar_create (progress.c:602) > >==1528== by 0x429319: fd_read_body (retr.c:274) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== by 0x41F778: gethttp (http.c:3753) > >==1528== > >==1528== 208 bytes in 1 blocks are definitely lost in loss record 820 of > 960 > >==1528== at 0x4C28BCD: malloc (in > >/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > >==1528== by 0x5D7140E: __gconv_lookup_cache (gconv_cache.c:371) > >==1528== by 0x5D69E29: __gconv_find_transform (gconv_db.c:721) > >==1528== by 0x5DF250D: __wcsmbs_getfct (wcsmbsload.c:92) > >==1528== by 0x5DF250D: __wcsmbs_load_conv (wcsmbsload.c:190) > >==1528== by 0x5DE855C: get_gconv_fcts (wcsmbsload.h:75) > >==1528== by 0x5DE855C: mbrtowc (mbrtowc.c:69) > >==1528== by 0x5D7F4EB: mbtowc (mbtowc.c:64) > >==1528== by 0x425307: count_cols (progress.c:804) > >==1528== by 0x425F1B: create_image (progress.c:908) > >==1528== by 0x4267FB: bar_create (progress.c:602) > >==1528== by 0x429319: fd_read_body (retr.c:274) > >==1528== by 0x419D75: read_response_body (http.c:1682) > >==1528== by 0x41F778: gethttp (http.c:3753) > >==1528== > >==1528== LEAK SUMMARY: > >==1528== definitely lost: 416 bytes in 2 blocks > >==1528== indirectly lost: 0 bytes in 0 blocks > >==1528== possibly lost: 0 bytes in 0 blocks > >==1528== still reachable: 923,336 bytes in 19,827 blocks > >==1528== suppressed: 0 bytes in 0 blocks > >==1528== Reachable blocks (those to which a pointer was found) are not > >shown. > >==1528== To see them, rerun with: --leak-check=full --show-leak-kinds=all > >==1528== > >==1528== For counts of detected and suppressed errors, rerun with: -v > >==1528== ERROR SUMMARY: 374197 errors from 4 contexts (suppressed: 1 from > 1) > > -- > Thanking You, > Darshit Shah >
