Bug#579890: [pkg-wine-party] Bug#579890: grotty: infinite loop when processing a man page
clone 579890 -1 reassign -1 libwine-dev-unstable retitle -1 libwine-dev-unstable: need to escape literal backslashes in manual pages thanks On Sat, May 15, 2010 at 01:11:02PM +0200, Ove Kaaven wrote: Colin Watson skrev: Thanks. Here's a reduced test case (run with 'groff -Tutf8 -mandoc'): .TH GetMIMETypeSubKeyA 3w Jun 2009 Wine API Wine API .SH NAME \fBGetMIMETypeSubKeyA\fR (SHLWAPI.328) .SH NOTES .PP The base path for the key is \fBMIME\Database\Content Type\\fR There are two bugs here. The simpler one to fix is the bug in the manual page (CCed w...@packages.debian.org for this). It's using \ to mean a literal backslash, but actually \ introduces a groff escape; \D emits a drawing command while \C typesets a glyph by name. This line should instead read: The base path for the key is \fBMIME\eDatabase\eContent Type\\fR These man pages are generated by a Perl script (wine/tools/c2man.pl). I don't know Perl. But if you open a bug report on libwine-dev-unstable or so, I could perhaps forward it upstream or something. OK - have a clone of this bug report, then. Maybe something like this would work? I'm not set up to build Wine at the moment so I can't easily test it. === modified file 'tools/c2man.pl' --- tools/c2man.pl 2010-05-17 12:04:42 + +++ tools/c2man.pl 2010-05-17 12:21:17 + @@ -1583,6 +1583,11 @@ sub output_api_comment($) s/\([Cc]\)/\copy;/g; s/\(tm\)/#174;/; } +else +{ + # Map special characters + s/\\/\e\\/g; +} if ( s/^\|// ) { Thanks, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579890: [pkg-wine-party] Bug#579890: grotty: infinite loop when processing a man page
Colin Watson skrev: Thanks. Here's a reduced test case (run with 'groff -Tutf8 -mandoc'): .TH GetMIMETypeSubKeyA 3w Jun 2009 Wine API Wine API .SH NAME \fBGetMIMETypeSubKeyA\fR (SHLWAPI.328) .SH NOTES .PP The base path for the key is \fBMIME\Database\Content Type\\fR There are two bugs here. The simpler one to fix is the bug in the manual page (CCed w...@packages.debian.org for this). It's using \ to mean a literal backslash, but actually \ introduces a groff escape; \D emits a drawing command while \C typesets a glyph by name. This line should instead read: The base path for the key is \fBMIME\eDatabase\eContent Type\\fR These man pages are generated by a Perl script (wine/tools/c2man.pl). I don't know Perl. But if you open a bug report on libwine-dev-unstable or so, I could perhaps forward it upstream or something. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579890: grotty: infinite loop when processing a man page
In fact, you can reproduce this infinite loop with just the following grotty input: x T utf8 x res 240 24 40 x init p1 Dt The following patch would turn this into a fatal error instead, [...] Thanks a lot! I've applied your patch to the CVS repository. Werner -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579890: grotty: infinite loop when processing a man page
On Sat, May 01, 2010 at 09:42:04PM -0500, Raphael Geissert wrote: grotty appears to enter an infinite loop when processing libwine-dev's (possibly libwine-unstable-dev's too) GetMIMETypeSubKeyA(3w) manpage. Reproducing it is as simple as running: man --warnings -E UTF-8 -l GetMIMETypeSubKeyA.3w.gz (yep, lintian's check is affected, that's how I noticed it -- not sure if you read the thread on lint-maint.) The version on the report is lenny's, but I'm able to reproduce it in sid too (with version 1.20.1-9.) I guess that running grotty under the effects of a fuzzer would reveal more bugs. Thanks. Here's a reduced test case (run with 'groff -Tutf8 -mandoc'): .TH GetMIMETypeSubKeyA 3w Jun 2009 Wine API Wine API .SH NAME \fBGetMIMETypeSubKeyA\fR (SHLWAPI.328) .SH NOTES .PP The base path for the key is \fBMIME\Database\Content Type\\fR There are two bugs here. The simpler one to fix is the bug in the manual page (CCed w...@packages.debian.org for this). It's using \ to mean a literal backslash, but actually \ introduces a groff escape; \D emits a drawing command while \C typesets a glyph by name. This line should instead read: The base path for the key is \fBMIME\eDatabase\eContent Type\\fR The infinite loop in grotty is a bit harder. What's happening is that the \D escape emits ditroff commands fairly directly, and in this particular case you end up with a line that just contains 'Dt', without the required argument. In fact, you can reproduce this infinite loop with just the following grotty input: x T utf8 x res 240 24 40 x init p1 Dt The following patch would turn this into a fatal error instead, which isn't ideal either but is certainly better than an infinite loop. However, I don't know this code very well and would appreciate review. 2010-05-04 Colin Watson cjwat...@debian.org * src/libs/libdriver/input.cpp (get_integer_arg): Emit a fatal error on a non-integer argument, bringing the code into line with the behaviour documented in the header comment. (get_possibly_integer_args): Terminate the loop on a non-integer argument. (next_arg_begin): Return newline or EOF after emitting the corresponding error, rather than continuing on to the next line. Index: b/src/libs/libdriver/input.cpp === --- a/src/libs/libdriver/input.cpp +++ b/src/libs/libdriver/input.cpp @@ -790,7 +790,7 @@ c = get_char(); } if (!isdigit((int) c)) -error(integer argument expected); +fatal(integer argument expected); while (isdigit((int) c)) { buf.append(c); c = get_char(); @@ -879,6 +879,7 @@ break; default: error(integer argument expected); + done = true; break; } } @@ -946,7 +947,7 @@ case '\n': case EOF: error(missing argument); - break; + return c; default: // first essential character return c; } Thanks, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579890: grotty: infinite loop when processing a man page
Package: groff-base Version: 1.18.1.1-21 Hi Colin! grotty appears to enter an infinite loop when processing libwine-dev's (possibly libwine-unstable-dev's too) GetMIMETypeSubKeyA(3w) manpage. Reproducing it is as simple as running: man --warnings -E UTF-8 -l GetMIMETypeSubKeyA.3w.gz (yep, lintian's check is affected, that's how I noticed it -- not sure if you read the thread on lint-maint.) The version on the report is lenny's, but I'm able to reproduce it in sid too (with version 1.20.1-9.) I guess that running grotty under the effects of a fuzzer would reveal more bugs. Since ftp-master's lintian only runs some checks (none manpage-related) and mentors.d.n only runs lintian on source packages I don't think it's worth treating it as a security issue. It might be worth fixing it in an SPU, though. I'm attaching the manpage. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net GetMIMETypeSubKeyA.3w.gz Description: GNU Zip compressed data