[Lynx-dev] segfault when removing an expired cookie

[Mike Gorse]

I don't know if this is fixed already, but I just ran into a crash when 
trying to select a link on m.facebook.com. Backtrace is attached. 
Presumably, I had an expired cookie that was being removed. 
scan_cookie_sublist can remove cookies from the sublist, but it then tries 
to iterate to the next item, relying on memory that it just freed. The 
attached patch should fix it.

Note: This only applies to 2.8.8; 2.8.7 handled this correctly.
Thanks,
-MikeScript started on Thu 27 Nov 2014 08:28:18 AM CST
gdblinux-megc ~$gdb

GNU gdb (GDB; openSUSE 13.2) 7.8

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-suse-linux".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://bugs.opensuse.org/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word".



warning: /etc/gdbinit.d/gdb-heap.py: No such file or directory

(gdb) core lynx.core 

Reading symbols from /usr/bin/lynx...Reading symbols from 
/usr/lib/debug/usr/bin/lynx.debug...done.

done.

warning: Ignoring non-absolute filename: <linux-vdso.so.1>

Missing separate debuginfo for linux-vdso.so.1

Try: zypper install -C 
"debuginfo(build-id)=bf7fd8128ff5dbf412f3fbf8a930fd4f1de580ad"

Core was generated by `lynx -pseudo_inlines -useragent=Mozilla 4.0 (compatible; 
MSIE 6.0; WIndows NT 5'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007fad17a0f187 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56

56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

Missing separate debuginfos, use: zypper install 
libncurses6-debuginfo-5.9-52.2.3.x86_64 
libopenssl1_0_0-debuginfo-1.0.1j-2.10.1.x86_64 
libz1-debuginfo-1.2.8-5.1.2.x86_64 nss-mdns-debuginfo-0.10-63.1.2.x86_64

(gdb) bt

#0  0x00007fad17a0f187 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56

#1  0x00007fad17a10538 in __GI_abort () at abort.c:78

#2  0x0000000000434376 in FatalProblem (sig=11) at LYMain.c:4459

#3  <signal handler called>

#4  scan_cookie_sublist (secure=1, 

    header=0x1d0e840 "datr=Kfh0VKWyK895F5RFSbjjE3Qu; 
m_user=0%3A0%3A0%3A0%3Av_1%2Cajax_0%2Cwidth_0%2Cpxr_0%2Cgps_0%3A1416951864%3A2; 
lu=Rg-mLA1_RiorPsBp31l2lrfQ; c_user=500596102; 
fr=0fQkYMNAsStj3Yt0u.AWUVS6Te5BUKqeXEoYluX"..., sublist=0x1ceca20, port=443, 

    path=0x1c63b50 
"/a/like.php?aftercursorr=1417090682%3A1417090682%3A28%3A8224404328593613%3A1417026181%3A0%3A0%3A28800&tab=h_nor&actionsource=feed&ft_ent_identifier=10152529455557406&gfid=AQCclVpUfjal56ug&refid=28&_ft"...,
 hostname=0x1c63730 "m.facebook.com") at LYCookie.c:726

#5  LYAddCookieHeader (hostname=hostname@entry=0x1c63730 "m.facebook.com", 

    path=path@entry=0x1c63b50 
"/a/like.php?aftercursorr=1417090682%3A1417090682%3A28%3A8224404328593613%3A1417026181%3A0%3A0%3A28800&tab=h_nor&actionsource=feed&ft_ent_identifier=10152529455557406&gfid=AQCclVpUfjal56ug&refid=28&_ft"...,
 port=443, secure=secure@entry=1) at LYCookie.c:1886

#6  0x000000000049b02d in HTLoadHTTP (arg=<optimized out>, 
anAnchor=anAnchor@entry=0x1c8aec0, format_out=format_out@entry=0x17b97d0, 
sink=sink@entry=0x0)

    at ../../../WWW/Library/Implementation/HTTP.c:1355

#7  0x0000000000497bc6 in HTLoad (sink=<optimized out>, format_out=0x17b97d0, 
anchor=0x1c8aec0, addr=<optimized out>) at 
../../../WWW/Library/Implementation/HTAccess.c:709

#8  HTLoadDocument (full_address=<optimized out>, anchor=0x1c8aec0, 
format_out=0x17b97d0, sink=<optimized out>) at 
../../../WWW/Library/Implementation/HTAccess.c:942

#9  0x0000000000498938 in HTLoadAbsolute (docaddr=docaddr@entry=0x7fff2e8ee1b0) 
at ../../../WWW/Library/Implementation/HTAccess.c:1124

#10 0x00000000004318c0 in getfile (doc=doc@entry=0x762b60 <newdoc>, 
target=target@entry=0x7fff2e8ee284) at LYGetFile.c:809

#11 0x00000000004376da in mainloop () at LYMainLoop.c:5865

#12 0x000000000040cb95 in main (argc=<optimized out>, argv=0x7fff2e8ee7e8) at 
LYMain.c:2203

(gdb) frame 4

#4  scan_cookie_sublist (secure=1, 

    header=0x1d0e840 "datr=Kfh0VKWyK895F5RFSbjjE3Qu; 
m_user=0%3A0%3A0%3A0%3Av_1%2Cajax_0%2Cwidth_0%2Cpxr_0%2Cgps_0%3A1416951864%3A2; 
lu=Rg-mLA1_RiorPsBp31l2lrfQ; c_user=500596102; 
fr=0fQkYMNAsStj3Yt0u.AWUVS6Te5BUKqeXEoYluX"..., sublist=0x1ceca20, port=443, 

    path=0x1c63b50 
"/a/like.php?aftercursorr=1417090682%3A1417090682%3A28%3A8224404328593613%3A1417026181%3A0%3A0%3A28800&tab=h_nor&actionsource=feed&ft_ent_identifier=10152529455557406&gfid=AQCclVpUfjal56ug&refid=28&_ft"...,
 hostname=0x1c63730 "m.facebook.com") at LYCookie.c:726

726             co = (cookie *) hl->object;

(gdb) print hl

$1 = (HTList *) 0x4545454545454545

(gdb) print sublist

$2 = (HTList *) 0x1ceca20

(gdb) print sublist->next

$3 = (HTList *) 0x1c9d760

(gdb) print sublist->next->next

$4 = (HTList *) 0x1aeceb0

(gdb) print sublist->next->next->next

$5 = (HTList *) 0x1bdb9f0

(gdb) print sublist->next->next->next->next

$6 = (HTList *) 0x0

(gdb) quit

linux-megc ~$yexit


Script done on Thu 27 Nov 2014 08:29:23 AM CST
--- src/LYCookie.c.orig 2013-11-28 18:52:56.000000000 -0600
+++ src/LYCookie.c      2014-11-27 08:27:02.453966314 -0600
@@ -716,13 +716,14 @@
                                 char *header,
                                 int secure)
 {
-    HTList *hl;
+    HTList *hl, *next;
     cookie *co;
     time_t now = time(NULL);
     char crlftab[8];
 
     sprintf(crlftab, "%c%c%c", CR, LF, '\t');
-    for (hl = sublist; hl != NULL; hl = hl->next) {
+    for (hl = sublist; hl != NULL; hl = next) {
+       next = hl->next;
        co = (cookie *) hl->object;
 
        if (co == NULL) {
_______________________________________________
Lynx-dev mailing list
Lynx-dev@nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev