Bug#941183: libepub0: baloo_file_extractor segfault because of null pointer deference in ebook-tools libepub/list.c

Paul Ezvan Wed, 25 Sep 2019 21:09:39 -0700

Package: libepub0
Version: 0.2.2-4+b4
Severity: normal
Tags: patch upstream


Dear Maintainer,

baloo_file_extractor is crashing when analyzing epub files with invalid format,
as some epub files cause libepub to segfault.

As after crashing it would retry scanning the same file, it will keep crashing
when restarted.

I am attaching a patch to resolve the issue in libepub, which allows
baloo_file_extractor to successfully scan the file.
Note that baloo_file_extractor would use more than 8 GiB of memory while
scanning some epub files, which leads to think that libepub might have some
memleaks as well.

Application: baloo_file_extractor (5.62.0)

Qt Version: 5.11.3
Frameworks Version: 5.62.0
Operating System: Linux 5.2.0-2-amd64 x86_64
Distribution: Debian GNU/Linux bullseye/sid

-- Information about the crash:
<Indiquez-nous en détails ce que vous faisiez lors du plantage de 
l'application.>

The crash can be reproduced every time.

-- Backtrace:
Application: Extracteur de fichier Baloo (baloo_file_extractor), signal: 
Segmentation fault
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f7c407b5040 (LWP 1788))]

Thread 3 (Thread 0x7f7c3eb10700 (LWP 1795)):
#0  0x00007f7c43cbfd2f in poll () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f7c42eebbf6 in g_main_context_poll (priority=<optimized out>, 
n_fds=1, fds=0x7f7c3001a640, timeout=<optimized out>, context=0x7f7c30000bf0) 
at ../../../glib/gmain.c:4228
#2  g_main_context_iterate (context=context@entry=0x7f7c30000bf0, 
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at 
../../../glib/gmain.c:3922
#3  0x00007f7c42eebd1c in g_main_context_iteration (context=0x7f7c30000bf0, 
may_block=may_block@entry=1) at ../../../glib/gmain.c:3988
#4  0x00007f7c442263e3 in QEventDispatcherGlib::processEvents 
(this=0x7f7c30000b20, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#5  0x00007f7c441d3cfb in QEventLoop::exec (this=this@entry=0x7f7c3eb0fd70, 
flags=..., flags@entry=...) at 
../../include/QtCore/../../src/corelib/global/qflags.h:140
#6  0x00007f7c44023d8e in QThread::exec (this=<optimized out>) at 
../../include/QtCore/../../src/corelib/global/qflags.h:120
#7  0x00007f7c45159545 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5DBus.so.5
#8  0x00007f7c4402da07 in QThreadPrivate::start (arg=0x7f7c451d8d60) at 
thread/qthread_unix.cpp:367
#9  0x00007f7c43765fb7 in start_thread () from 
/lib/x86_64-linux-gnu/libpthread.so.0
#10 0x00007f7c43cca2ef in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 2 (Thread 0x7f7c3f5bd700 (LWP 1789)):
#0  0x00007f7c43cbfd2f in poll () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f7c42e72cf7 in ?? () from /usr/lib/x86_64-linux-gnu/libxcb.so.1
#2  0x00007f7c42e7491a in xcb_wait_for_event () from 
/usr/lib/x86_64-linux-gnu/libxcb.so.1
#3  0x00007f7c40368d79 in QXcbEventReader::run (this=0x55b606189d90) at 
qxcbconnection.h:409
#4  0x00007f7c4402da07 in QThreadPrivate::start (arg=0x55b606189d90) at 
thread/qthread_unix.cpp:367
#5  0x00007f7c43765fb7 in start_thread () from 
/lib/x86_64-linux-gnu/libpthread.so.0
#6  0x00007f7c43cca2ef in clone () from /lib/x86_64-linux-gnu/libc.so.6

Thread 1 (Thread 0x7f7c407b5040 (LWP 1788)):
[KCrash Handler]
#6  0x00007f7c3dd57bf0 in _list_cmp_label_by_lang () from /usr/lib/libepub.so.0
#7  0x00007f7c3dd574c8 in FindNode () from /usr/lib/libepub.so.0
#8  0x00007f7c3dd56aae in _opf_label_get_by_lang () from /usr/lib/libepub.so.0
#9  0x00007f7c3dd53629 in epub_tit_next () from /usr/lib/libepub.so.0
#10 0x00007f7c3df89088 in KFileMetaData::EPubExtractor::extract 
(this=<optimized out>, result=0x7fff4f1e5470) at 
./src/extractors/epubextractor.cpp:184
#11 0x000055b605347d47 in Baloo::App::index (this=this@entry=0x7fff4f1e5bb0, 
tr=0x55b6061f1d80, url=..., id=id@entry=36107081387933192) at 
./src/file/extractor/app.cpp:192
#12 0x000055b60534a05b in Baloo::App::processNextFile (this=0x7fff4f1e5bb0) at 
./src/file/extractor/app.cpp:112
#13 0x00007f7c4420a106 in QtPrivate::QSlotObjectBase::call (a=0x7fff4f1e55c0, 
r=<optimized out>, this=<optimized out>) at 
../../include/QtCore/../../src/corelib/kernel/qobjectdefs_impl.h:376
#14 QSingleShotTimer::timerEvent (this=0x55b60627b950) at kernel/qtimer.cpp:318
#15 0x00007f7c441fed1b in QObject::event (this=0x55b60627b950, e=<optimized 
out>) at kernel/qobject.cpp:1232
#16 0x00007f7c44b4f501 in QApplicationPrivate::notify_helper 
(this=this@entry=0x55b6061770d0, receiver=receiver@entry=0x55b60627b950, 
e=e@entry=0x7fff4f1e5880) at kernel/qapplication.cpp:3726
#17 0x00007f7c44b569b0 in QApplication::notify (this=0x7fff4f1e5ba0, 
receiver=0x55b60627b950, e=0x7fff4f1e5880) at kernel/qapplication.cpp:3485
#18 0x00007f7c441d5029 in QCoreApplication::notifyInternal2 
(receiver=0x55b60627b950, event=event@entry=0x7fff4f1e5880) at 
../../include/QtCore/5.11.3/QtCore/private/../../../../../src/corelib/thread/qthread_p.h:307
#19 0x00007f7c442257d8 in QCoreApplication::sendEvent (event=0x7fff4f1e5880, 
receiver=<optimized out>) at 
../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:234
#20 QTimerInfoList::activateTimers (this=0x55b6061c9f80) at 
kernel/qtimerinfo_unix.cpp:643
#21 0x00007f7c4422606c in timerSourceDispatch (source=<optimized out>) at 
kernel/qeventdispatcher_glib.cpp:182
#22 idleTimerSourceDispatch (source=<optimized out>) at 
kernel/qeventdispatcher_glib.cpp:229
#23 0x00007f7c42eeb9ee in g_main_dispatch (context=0x7f7c38004fd0) at 
../../../glib/gmain.c:3189
#24 g_main_context_dispatch (context=context@entry=0x7f7c38004fd0) at 
../../../glib/gmain.c:3854
#25 0x00007f7c42eebc88 in g_main_context_iterate 
(context=context@entry=0x7f7c38004fd0, block=block@entry=1, 
dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:3927
#26 0x00007f7c42eebd1c in g_main_context_iteration (context=0x7f7c38004fd0, 
may_block=may_block@entry=1) at ../../../glib/gmain.c:3988
#27 0x00007f7c442263c7 in QEventDispatcherGlib::processEvents 
(this=0x55b6061c7740, flags=...) at kernel/qeventdispatcher_glib.cpp:422
#28 0x00007f7c403ff391 in QPAEventDispatcherGlib::processEvents 
(this=0x55b6061c7740, flags=...) at qeventdispatcher_glib.cpp:69
#29 0x00007f7c441d3cfb in QEventLoop::exec (this=this@entry=0x7fff4f1e5b00, 
flags=..., flags@entry=...) at 
../../include/QtCore/../../src/corelib/global/qflags.h:140
#30 0x00007f7c441dbcd2 in QCoreApplication::exec () at 
../../include/QtCore/../../src/corelib/global/qflags.h:120
#31 0x000055b605347370 in main (argc=<optimized out>, argv=<optimized out>) at 
./src/file/extractor/main.cpp:59
[Inferior 1 (process 1788) detached]

Possible duplicates by query: bug 411627.

Index: ebook-tools-0.2.2/src/libepub/linklist.c
===================================================================
--- ebook-tools-0.2.2.orig/src/libepub/linklist.c
+++ ebook-tools-0.2.2/src/libepub/linklist.c
@@ -115,7 +115,8 @@ void *FindNode(listPtr List, void *Data)
       
       while ((Compare = (List->compare)(List->Current->Data, Data)) != 0) {
                  List->Current = List->Current->Next;
-                 if (List->Current == NULL)
+                 if ((List->Current == NULL) ||
+                     (List->Current->Data == NULL))
                          return NULL; // end of list
          }
     }
Index: ebook-tools-0.2.2/src/libepub/list.c
===================================================================
--- ebook-tools-0.2.2.orig/src/libepub/list.c
+++ ebook-tools-0.2.2/src/libepub/list.c
@@ -137,6 +137,9 @@ int _list_cmp_manifest_by_id(struct mani
 
 int _list_cmp_label_by_lang(struct tocLabel *t1, struct tocLabel *t2) {
 
+  if ((t1 == NULL) || (t2 == NULL))
+    return 0;
+
   if (! t1->lang || ! t2->lang)
     return 0;
 
Index: ebook-tools-0.2.2/src/libepub/epub.c
===================================================================
--- ebook-tools-0.2.2.orig/src/libepub/epub.c
+++ ebook-tools-0.2.2/src/libepub/epub.c
@@ -469,8 +469,9 @@ int epub_tit_next(struct titerator *tit)
   case TITERATOR_NAVMAP:
   case TITERATOR_PAGES:
     ti = GetNodeData(curr);
-    tit->cache.label = 
-      (char *)_opf_label_get_by_doc_lang(tit->epub->opf, ti->label);
+    if (ti->label)
+      tit->cache.label =
+        (char *)_opf_label_get_by_doc_lang(tit->epub->opf, ti->label);
 
     if (! tit->cache.label)
       tit->cache.label = (char *)ti->id;
Index: ebook-tools-0.2.2/src/libepub/opf.c
===================================================================
--- ebook-tools-0.2.2.orig/src/libepub/opf.c
+++ ebook-tools-0.2.2/src/libepub/opf.c
@@ -394,6 +394,10 @@ void _opf_parse_navmap(struct opf *opf,
      
       } else if (xmlTextReaderNodeType(reader) == 15) {
         if (item) {
+          if (! item->label) {
+            _epub_print_debug(opf->epub, DEBUG_WARNING, 
+                              "- missing navlabel for nav point element");
+          }
           _epub_print_debug(opf->epub, DEBUG_INFO, 
                             "adding nav point item->%s %s (d:%d,p:%d)", 
                             item->id, item->src, item->depth, item->playOrder);

Bug#941183: libepub0: baloo_file_extractor segfault because of null pointer deference in ebook-tools libepub/list.c

Reply via email to