Bug#547166: Crash while generating HTML output

[Peter Makholm]

Package: modlogan
Version: 0.8.13-4
Severity: normal
Tags: patch

Under some circumstances modlogan crashes with this error message:

  *** glibc detected *** realloc(): invalid next size: 0x0884f810 ***

A gdb backtrace shows that the problem is in the html_encode function:

#0  0xf7db8947 in raise () from /lib/tls/libc.so.6
#1  0xf7dba0c9 in abort () from /lib/tls/libc.so.6
#2  0xf7dee6ba in __fsetlocking () from /lib/tls/libc.so.6
#3  0xf7df7ec7 in valloc () from /lib/tls/libc.so.6
#4  0xf7df87d5 in realloc () from /lib/tls/libc.so.6
#5  0x0805f3cc in html_encode ()
#6  0xf7d52fd8 in get_menu_item () from
/usr/lib/modlogan/libmla_output_modlogan.so
#7  0xf7d5a6a3 in mplugins_output_modlogan_generate_monthly_output () from
/usr/lib/modlogan/libmla_output_modlogan.so
#8  0x0805bfba in generate_monthly_output ()
#9  0x0805d9c6 in main ()

This function is defined on line 485 of src/misc.c

The function replaces some latin-1 characters with their HTML entity
counterpart. After handling each character it checks if it has more than 4
bytes left in it's destination buffer, realloc()ing than buffer otherwise.

The problem is that each iteration might fill up to 7 bytes into the
destination buffer (in the case of a character with an umlaut). The attached
patch makes sure that at least 8 bytes of buffer is available before each
iteration.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'oldstable'), (500, 'unstable'), (500, 
'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_DK.ISO-8859-15, LC_CTYPE=en_DK.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages modlogan depends on:
ii  libadns1               1.4-2             Asynchronous-capable DNS client li
ii  libbz2-1.0             1.0.5-3           high-quality block-sorting file co
ii  libc6                  2.9-25            GNU C Library: Shared libraries
ii  libexpat1              2.0.1-4           XML parsing C library - runtime li
ii  libgd2-xpm             2.0.36~rc1~dfsg-3 GD Graphics Library version 2
ii  libpcre3               7.8-2             Perl 5 Compatible Regular Expressi
ii  libpng12-0             1.2.39-1          PNG library - runtime
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

modlogan recommends no packages.

modlogan suggests no packages.

-- no debconf information

diff -Nur modloganone.com-0.8.13-4/build-tree/modlogan/src/misc.c modloganone.com-0.8.13-4.new/build-tree/modlogan/src/misc.c
--- modloganone.com-0.8.13-4/build-tree/modlogan/src/misc.c	2004-03-18 03:31:50.000000000 +0100
+++ modloganone.com-0.8.13-4.new/build-tree/modlogan/src/misc.c	2009-09-17 12:46:05.726105139 +0200
@@ -490,7 +490,7 @@
 
 	if (!s) return NULL;
 
-	q_len = strlen(s) * 2 + 1;
+	q_len = strlen(s) * 2 + 8;
 	q = malloc(q_len);
 
 	p = q;
@@ -535,7 +535,7 @@
 		*(++p) = '\0';
 		s++;
 
-		if (strlen(q) > (q_len - 4)) {
+		if (strlen(q) > (q_len - 8)) {
 			q_len += 128;
 			q = realloc(q, q_len);