Bug#1125143: marked as done (htmldoc: 1.9.22-1 segfaults on xfig documentation)

Sat, 31 Jan 2026 01:05:10 -0800 

Your message dated Sat, 31 Jan 2026 07:33:31 +0000
with message-id <[email protected]>
and subject line Bug#1125143: fixed in htmldoc 1.9.23-1
has caused the Debian Bug report #1125143,
regarding htmldoc: 1.9.22-1 segfaults on xfig documentation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1125143: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125143
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: htmldoc
Version: 1.9.22-1
Severity: important

Dear Maintainer,

building xfig package fails with htmldoc 1.9.22-1 with a segfault:

make[2]: Entering directory '/build/xfig-3.2.9a/doc'
fig2dev -L png -S4 html/images/xfig-title.fig                   \
                ./html/images/xfig-title.png
cd ./html && htmldoc -f ../xfig_ref_en.pdf --no-title   \
        --webpage --header ..c -t pdf14 --size a4 contents.html \
        $(/usr/bin/grep -F '<a href=' contents.html | /usr/bin/sed 's/.*a 
href="//; s/["\#].*//;' | uniq | /usr/bin/grep -F -v japanese)
make[2]: *** [Makefile:601: documentation] Segmentation fault (core dumped)

This happens on amd64 as well as on i386, see
https://salsa.debian.org/debian/xfig/-/pipelines/1004335
(I can also reproduce this with my local sid cowbuilder on amd64).

Six days ago there was no issue in the pipeline
https://salsa.debian.org/debian/xfig/-/pipelines/1000175
but this was htmldoc 1.9.21-1.

So I'm pretty sure, that the issue is triggered by the upgrade of
htmldoc from 1.9.21-1 to 1.9.22-1.

Sadly there are no debug symbols available in the package, seem that
it would be a good idea to add

override_dh_auto_configure:
        dh_auto_configure -- --enable-debug

to debian/rules, to avoid stripping off the debug symbols (before
Debian can save these to dgbsym-Package).

So I built 1.9.22-1 myself without symbols stripped (on Debian trixie)
and then I was able to extract a backtrace from the segfault:

$ gdb htmldoc /tmp/core
GNU gdb (Debian 16.3-1) 16.3
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
 
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from htmldoc...
[New LWP 1995518]
 
This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/bin/htmldoc -f 
/usr/local/src/Packages/xfig/xfig.git/doc/xfig_ref_en.pdf --no-title --webpage 
--header ..c -t pdf14 --size a4 contents.html introduction.html main_menus.html 
drawing.html editing.html attributes.html panning.html layers.html 
global_settings.html miscellaneous.html fig-format.html i18n.html 
latex_and_xfig.html miscellaneous.html accelerators.html options.html 
printing.html latex_and_xfig.html printing.html new_features.html 
bugs_fixed.html installation.html i18n.html fig-format.html faq.html 
authors.html'.
Program terminated with signal SIGSEGV, Segmentation fault.
Download failed: Das Argument ist ungültig.  Continuing without source file 
./htmldoc/./htmldoc/ps-pdf.cxx.
#0  0x0000561622a8261a in parse_doc (t=0x0, left=0x7ffda4badf94, 
right=0x7ffda4badf98, bottom=0x7ffda4badf9c, top=0x7ffda4badfa0, 
x=0x7ffda4badf8c, y=0x7ffda4badf90, 
    page=0x7ffda4badfa4, cpara=0x0, needspace=0x7ffda4badfa8) at 
./htmldoc/ps-pdf.cxx:4037
 
warning: 4037   ./htmldoc/ps-pdf.cxx: Datei oder Verzeichnis nicht gefunden
(gdb) bt
#0  0x0000561622a8261a in parse_doc (t=0x0, left=0x7ffda4badf94, 
right=0x7ffda4badf98, bottom=0x7ffda4badf9c, top=0x7ffda4badfa0, 
x=0x7ffda4badf8c, y=0x7ffda4badf90, 
    page=0x7ffda4badfa4, cpara=0x0, needspace=0x7ffda4badfa8) at 
./htmldoc/ps-pdf.cxx:4037
#1  0x0000561622a83e2b in parse_doc (t=0x5616403ee450, left=0x7ffda4badf94, 
right=<optimized out>, bottom=<optimized out>, top=<optimized out>, 
x=<optimized out>, 
    y=<optimized out>, page=<optimized out>, cpara=<optimized out>, 
needspace=<optimized out>) at ./htmldoc/ps-pdf.cxx:4448
#2  0x0000561622a828d6 in parse_doc (t=0x5616403e7610, left=0x7ffda4badf94, 
right=<optimized out>, bottom=<optimized out>, top=<optimized out>, 
x=<optimized out>, 
    y=<optimized out>, page=<optimized out>, cpara=<optimized out>, 
needspace=<optimized out>) at ./htmldoc/ps-pdf.cxx:4409
#3  0x0000561622a8ba52 in pspdf_export (document=0x5616403081f0, toc=0x0) at 
./htmldoc/ps-pdf.cxx:801
#4  0x0000561622a5421f in main (argc=<optimized out>, argv=<optimized out>) at 
./htmldoc/htmldoc.cxx:1303
(gdb) bt full
#0  0x0000561622a8261a in parse_doc (t=0x0, left=0x7ffda4badf94, 
right=0x7ffda4badf98, bottom=0x7ffda4badf9c, top=0x7ffda4badfa0, 
x=0x7ffda4badf8c, y=0x7ffda4badf90, 
    page=0x7ffda4badfa4, cpara=0x0, needspace=0x7ffda4badfa8) at 
./htmldoc/ps-pdf.cxx:4037
        i = <optimized out>
        doc = <optimized out>
        para = <optimized out>
        temp = <optimized out>
        var = <optimized out>
        name = <optimized out>
        style = <optimized out>
        width = <optimized out>
        height = <optimized out>
        rgb = {0, 0, 0}
        descend = <optimized out>
        levels = 2
#1  0x0000561622a83e2b in parse_doc (t=0x5616403ee450, left=0x7ffda4badf94, 
right=<optimized out>, bottom=<optimized out>, top=<optimized out>, 
x=<optimized out>, 
    y=<optimized out>, page=<optimized out>, cpara=<optimized out>, 
needspace=<optimized out>) at ./htmldoc/ps-pdf.cxx:4448
        i = <optimized out>
        doc = <optimized out>
        para = <optimized out>
        temp = <optimized out>
        var = <optimized out>
        name = <optimized out>
        style = <optimized out>
        width = <optimized out>
        height = <optimized out>
        rgb = {0, 0, 0}
        descend = false
        levels = 2
#2  0x0000561622a828d6 in parse_doc (t=0x5616403e7610, left=0x7ffda4badf94, 
right=<optimized out>, bottom=<optimized out>, top=<optimized out>, 
x=<optimized out>, 
    y=<optimized out>, page=<optimized out>, cpara=<optimized out>, 
needspace=<optimized out>) at ./htmldoc/ps-pdf.cxx:4409
        i = <optimized out>
        doc = <optimized out>
        para = <optimized out>
        temp = <optimized out>
        var = <optimized out>
        name = <optimized out>
        style = <optimized out>
        width = <optimized out>
        height = <optimized out>
        rgb = {0, 0, 0}
        descend = false
        levels = 2
#3  0x0000561622a8ba52 in pspdf_export (document=0x5616403081f0, toc=0x0) at 
./htmldoc/ps-pdf.cxx:801
        i = <optimized out>
        title_file = <optimized out>
        author = 0x0
        creator = 0x0
        copyright = 0x0
        docnumber = <optimized out>
        keywords = 0x0
        subject = 0x0
        lang = 0x0
        t = <optimized out>
        fp = <optimized out>
        x = 0
        y = 318.154114
        left = 0
        right = 487
        bottom = 22
        top = 748
        width = <optimized out>
        height = <optimized out>
        page = 16
        pos = <optimized out>
        heading = <optimized out>
        toc_duplex = 0
        toc_landscape = 0
        toc_width = <optimized out>
        toc_length = <optimized out>
        toc_left = <optimized out>
        toc_right = <optimized out>
        toc_bottom = <optimized out>
        toc_top = <optimized out>
        timage = <optimized out>
        timage_width = <optimized out>
        timage_height = <optimized out>
        r = <optimized out>
        rgb = {0, 4.61080276e-18, 3.08818156e-41}
        needspace = 0
        source_date_epoch = <optimized out>
        adjust = <optimized out>
        image_adjust = 22
        temp_adjust = <optimized out>
#4  0x0000561622a5421f in main (argc=<optimized out>, argv=<optimized out>) at 
./htmldoc/htmldoc.cxx:1303
        i = <optimized out>
        j = <optimized out>
        document = 0x5616403081f0
        file = <optimized out>
        toc = 0x0
        exportfunc = 0x561622a8b1c0 <pspdf_export(tree_t*, tree_t*)>
        extension = <optimized out>
        fontsize = <optimized out>
        fontspacing = <optimized out>
        num_files = 26
        start_time = 1767972207.319273
        load_time = 1767972207.356056
        end_time = <optimized out>
        debug = <optimized out>


I tried to identify the offending file and found out, that
drawing.html triggers the segfault, so I can reduce the test bed to

htmldoc -f out.pdf -t pdf14 drawing.html

You find the original drawing.html in
https://salsa.debian.org/debian/xfig/-/blob/debian/latest/doc/html/drawing.html

It seems that this has some faulty HTML, since after running the file
through (html)tidy, it is correctly processed by htmldoc.

Anyway, it's not acceptable that htmldoc fails on faulty HTML with a
segfault.

I was able to reduce the file to the following contents to trigger the segfault:

---------------------- snipp -------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<title>Drawing Objects</title>
</head>

<body>
<h1>Drawing Objects</h1>

<dt>
<dd>

</body>
</html>
---------------------- snipp -------------------------------------

It seems that the stand alone "<dd>" (without contents and without
</dd>) triggers the segfault in my case.

I seems that for xfig I can work around this issue by just removing "<dd>"
from line 162 of drawing.html.

But this should be fixed in htmldoc, since segfaults usually are
indicators of security issues.

Hoping, that the above information is good enough to fix or forward
the issue upstream.

Greetings
Roland

--- End Message ---
--- Begin Message --- 
Source: htmldoc
Source-Version: 1.9.23-1
Done: Håvard F. Aasen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
htmldoc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Håvard F. Aasen <[email protected]> (supplier of updated htmldoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 Jan 2026 07:46:24 +0100
Source: htmldoc
Architecture: source
Version: 1.9.23-1
Distribution: unstable
Urgency: medium
Maintainer: Håvard F. Aasen <[email protected]>
Changed-By: Håvard F. Aasen <[email protected]>
Closes: 1125143
Changes:
 htmldoc (1.9.23-1) unstable; urgency=medium
 .
   * New upstream release:
     - Fixed a regression in list handling that caused a crash for empty
       list items. Closes: #1125143
   * Rebase patches
   * Build with debug symbols.
     Thanks to Roland Rosenfeld for the suggestion
   * Update copyright years.
Checksums-Sha1:
 0a507a9c1d1a6c5ddc068860befacc0422403da9 1649 htmldoc_1.9.23-1.dsc
 6daad20d3d82114b73171e7ff0562c2dd94b4458 3293703 htmldoc_1.9.23.orig.tar.gz
 63ff2e913fd680ed61f47d866aa7db11b1bc2ac2 833 htmldoc_1.9.23.orig.tar.gz.asc
 d5eb50d709170bcf632623bb50570f93ffb11a53 15396 htmldoc_1.9.23-1.debian.tar.xz
 a05df3d0b1cb7f6bebd908b859204886432ae444 8815 htmldoc_1.9.23-1_amd64.buildinfo
Checksums-Sha256:
 a6bcbf22514f896a5ea22e8c47b1386e9410ec2e34d821a9c565b77daf163fde 1649 
htmldoc_1.9.23-1.dsc
 73bfe91dc96038f465e0bb2be66eaf91f381c42c7f9b36918d5af80edbca99be 3293703 
htmldoc_1.9.23.orig.tar.gz
 982bf657e1b79da72092cb8cf246f03e84f15520fb832b110c372a70a53f762d 833 
htmldoc_1.9.23.orig.tar.gz.asc
 e416009dd85623364e8f2b2d1d6b2f3f09396e677b3fdf3e2044c24bfedbfec0 15396 
htmldoc_1.9.23-1.debian.tar.xz
 fe92abcfb3854c1ac5b71d01cd9952c076cf6de33731e525f669b447e06e8420 8815 
htmldoc_1.9.23-1_amd64.buildinfo
Files:
 f08fd3ff708a310e27ae302235edb9a8 1649 web optional htmldoc_1.9.23-1.dsc
 99cb11f031be6b73f0dc63c4bccfa56e 3293703 web optional 
htmldoc_1.9.23.orig.tar.gz
 b9c24c3a5460fd8530918a9abd552a21 833 web optional 
htmldoc_1.9.23.orig.tar.gz.asc
 642acb86dad54ebad6dd9705a8c4d44d 15396 web optional 
htmldoc_1.9.23-1.debian.tar.xz
 047cbb462eaa9b17564e4f55d3126c05 8815 web optional 
htmldoc_1.9.23-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iI0EARYKADUWIQSD/42dLkLq3fzhpN2I4w6v/UfCtwUCaX2paBccaGF2YXJkLmYu
YWFzZW5AcGZmdC5ubwAKCRCI4w6v/UfCt5VLAQCzQIC/9yWPBV7UwNJF+ek+GP/2
bZeG7/mnxpQnW4DnLgEAh8GxdJFzeBlr3DzxcG9vND7xi+INu1/+5v4bpIrpnw0=
=tQPX
-----END PGP SIGNATURE-----

Attachment: pgp41jgUoaNIV.pgp
Description: PGP signature


--- End Message ---

Reply via email to