Your message dated Fri, 26 Jul 2024 18:55:09 +0000 with message-id <[email protected]> and subject line Bug#1075846: Removed package(s) from unstable has caused the Debian Bug report #1057485, regarding tk-html3: Null pointer dereference causing a crash in libTkhtml3.0.so to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1057485: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057485 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: tk-html3 Version: 3.0~fossil20110109-8 Severity: normal X-Debbugs-Cc: none Dear Maintainer, I am not sure whether this is the right place, but I would like to report a bug in libTkhtml3.0.so used by hv3 browser. To reproduce it use the following steps: ``` $ echo '<style>.hello { background-color:rgb(A); }</style>' > bug.html $ hv3 bug.html Segmentation fault ``` Due to the printed Segmentation fault message, I researched the bug a bit further to establish why it happens. This is the backtrace shown once SIGSEGV occurs: ``` ► 0 0x7ffff73b4482 inputNextToken+50 1 0x7ffff73b49cb inputNextTokenIgnoreSpace+11 2 0x7ffff73b5b57 HtmlCssGetNextCommaListItem+71 3 0x7ffff73af784 tokenToProperty+1444 4 0x7ffff73b0155 HtmlCssDeclaration+421 5 0x7ffff73b4e0b parseDeclarationBlock+795 6 0x7ffff73b5510 HtmlCssRunParser+1696 7 0x7ffff73aeabd cssParse+429 ``` The function in question is `tokenToProperty` which calls the `rgbToColor` function that parses the `rgb()` css function call: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L430 The parser expects the format of the function call to be `rgb(A, B, C)` which doesn't have to be the case nowadays. A valid example may be: ``` #example { background-color: rgb(var(--color)); } ``` Because the function call is not conforming to the hv3 expected format, the `rgbToColor` function will iterate three times through its arguments searching for values separated by comma and end up dereferencing a null pointer: ``` ► 0x7ffff73af77f <tokenToProperty+1439> call HtmlCssGetNextCommaListItem@plt <HtmlCssGetNextCommaListItem@plt> rdi: 0x0 rsi: 0x55f7348b rdx: 0x7fffffffc048 ◂— 0xffffffffffffffff rcx: 0x0 ... Thread 1 "wish" received signal SIGSEGV, Segmentation fault. 0x00007ffff73b4482 in inputNextToken () from /usr/lib/Tkhtml3.0/ libTkhtml3.0.so LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ─────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────── RAX 0x0 RBX 0x0 RCX 0x0 *RDX 0x7fffffffc538 ◂— 0xffffffffffffffff *RDI 0x7fffffffc400 ◂— 0x0 *RSI 0x55fbd63f *R8 0x7ffff7c6d560 (_nl_global_locale) —▸ 0x5555555593f0 —▸ 0x555555559350 ◂— 'en_US.UTF-8' *R9 0x3 R10 0x0 *R11 0x7ffff7c164c0 (_nl_C_LC_CTYPE_tolower+512) ◂— 0x100000000 R12 0x0 *R13 0x7fffffffc400 ◂— 0x0 R14 0x0 *R15 0x55fbd63f *RBP 0x55fbd63f *RSP 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3 *RIP 0x7ffff73b4482 (inputNextToken+50) ◂— cmp byte ptr [rbx], 0x2f ──────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────── ► 0x7ffff73b4482 <inputNextToken+50> cmp byte ptr [rbx], 0x2f 0x7ffff73b4485 <inputNextToken+53> je inputNextToken+232 <inputNextToken+232> ↓ 0x7ffff73b4538 <inputNextToken+232> cmp byte ptr [rbx + 1], 0x2a 0x7ffff73b453c <inputNextToken+236> jne inputNextToken+59 <inputNextToken+59> ↓ 0x7ffff73b448b <inputNextToken+59> movzx edx, byte ptr [rbx] 0x7ffff73b448e <inputNextToken+62> cmp dl, 0x20 0x7ffff73b4491 <inputNextToken+65> jle inputNextToken+97 <inputNextToken+97> ↓ 0x7ffff73b44b1 <inputNextToken+97> cmp dl, 8 0x7ffff73b44b4 <inputNextToken+100> jg inputNextToken+398 <inputNextToken+398> ↓ 0x7ffff73b45de <inputNextToken+398> movabs rax, 0x100002600 0x7ffff73b45e8 <inputNextToken+408> bt rax, rdx ───────────────────────────────────[ STACK ]──────────────────────────────────── 00:0000│ rsp 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3 01:0008│ 0x7fffffffc368 ◂— 0x41007fffffffffff 02:0010│ 0x7fffffffc370 ◂— 0x0 03:0018│ 0x7fffffffc378 ◂— 0x0 04:0020│ 0x7fffffffc380 —▸ 0x555555f886e0 ◂— 0x3 05:0028│ 0x7fffffffc388 ◂— 0xf037dcd0ffffffff 06:0030│ 0x7fffffffc390 —▸ 0x555555b3427b ◂— 'info exists ::hv3::log_source_option]} return\n if {$::hv3::log_source_option} {\n append O(myHtmlDocument) $data\n }\n ' 07:0038│ 0x7fffffffc398 —▸ 0x7fffffffc138 —▸ 0x7fffffffc1b8 —▸ 0x7fffffffc1d8 ◂— 0x0 ... ``` In the code I have identified the following calls causing the crash: - `rgbToColor` fetches the next comma list item by calling `HtmlCssGetNextCommaListItem`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L444 ``` aToken[ii].z = HtmlCssGetNextCommaListItem(z, zEnd - z, &aToken[ii].n); ``` - `HtmlCssGetNextCommaListItem` calls `inputNextTokenIgnoreSpace` which calls `inputNextToken`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L1186 ``` inputNextTokenIgnoreSpace(&sInput); ``` - `inputNextToken` references the first element of NULL pointer `z[0]`: https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L208 ``` switch( z[0] ){ ``` This bug also makes hv3 browser crash on legitimate sites effectively making it unusable: ``` $ hv3 http://wordpress.com Error in -requestcmd https://fonts-api.wp.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|: Illegal characters in URL path Segmentation fault ``` If my analysis is correct, the fix for this issue would be to change the current rgb function parsing implementation and add support for other types of function arguments. Although it seems to me that this browser is unmaintained for several years now, I see it is available on debian repos so I decided to report the bug. -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tk-html3 depends on: ii libc6 2.36-9+deb12u3 ii libx11-6 2:1.8.4-2+deb12u2 ii tk 8.6.13 tk-html3 recommends no packages. tk-html3 suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 3.0~fossil20110109-9+rm Dear submitter, as the package tk-html3 has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1075846 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
_______________________________________________ Pkg-tcltk-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-tcltk-devel
