[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #37596] NSXMLParser.m randomly crashes on parsing strings
From: |
Sebastian Reitenbach |
Subject: |
[bug #37596] NSXMLParser.m randomly crashes on parsing strings |
Date: |
Thu, 18 Oct 2012 16:47:30 +0000 |
User-agent: |
Mozilla/5.0 (X11; OpenBSD i386; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 |
URL:
<http://savannah.gnu.org/bugs/?37596>
Summary: NSXMLParser.m randomly crashes on parsing strings
Project: GNUstep
Submitted by: buzzdee
Submitted on: Thu 18 Oct 2012 04:47:29 PM GMT
Category: Base/Foundation
Severity: 4 - Important
Item Group: Bug
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
-[NSXMLParser _parseEntity:] gives a not NULL terminated string to sscanf
which may crash, depending on the garbage on the stack, due to the fact that
the string is not NULL terminated. At least seen on OpenBSD.
Its the similar problem we've seen with simplewebkits NSXMLParser. Attached
patch uses the same solution Nikolaus proposed for simplewebkits NSXMLParser.
Here is a backtrace from MPDCon:
(gdb) bt
#0 0x0aba5c33 in strlen (
str=0x8376568f "039;t notice\nDon't even sound I'm coming\nSoon
you'll have a ..
Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"...) at
/usr/src/lib/libc/string/strlen.c:43
#1 0x0ab332c1 in sscanf (
str=0x8376568f "039;t notice\nDon't even sound I'm coming\nSoon
you'll have a ..
Everyw[...]</lyrics>\n\t<url>http://lyrics.w0</page_namespac"...,
fmt=0x203e0481 "x%x;") at /usr/src/lib/libc/stdio/sscanf.c:59
#2 0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4,
_cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388
#3 0x0057aa24 in -[NSXMLParser parse] (self=0x8224e8a4, _cmd=0x3c011bb8) at
NSXMLParser.m:1679
#4 0x1c012d90 in -[LyricsInspector updateLyrics] (self=0x87e7b984,
_cmd=0x3c011b30) at LyricsInspector.m:240
#5 0x1c012878 in -[LyricsInspector songChanged:] (self=0x87e7b984,
_cmd=0x3c011b20, aNotif=0x857b3504) at LyricsInspector.m:210
#6 0x004af9ee in -[NSNotificationCenter _postAndRelease:] (self=0x81febaa4,
_cmd=0x2042a828, notification=0x857b3504) at NSNotificationCenter.m
#7 0x004aefeb in -[NSNotificationCenter postNotification:] (self=0x81febaa4,
_cmd=0x3c003128, notification=0x857b3504) at NSNotificationCenter.
#8 0x1c003f8a in -[AppController(Private) _updateView:] (self=0x8a143484,
_cmd=0x3c003078, sender=0x87e88d04) at AppController.m:585
#9 0x004c33a8 in -[NSObject performSelector:withObject:] (self=0x8a143484,
_cmd=0x2044d648, aSelector=0x3c003078, anObject=0x87e88d04) at NSObj
#10 0x00538786 in -[NSTimer fire] (self=0x87e88d04, _cmd=0x20440bf8) at
NSTimer.m:258
#11 0x00507d69 in -[NSRunLoop limitDateForMode:] (self=0x84592da4,
_cmd=0x20440c58, mode=0x20440cb0) at NSRunLoop.m:1016
#12 0x0050427e in -[NSRunLoop runMode:beforeDate:] (self=0x84592da4,
_cmd=0x200f1720, mode=0x20440cb0, date=0x86793224) at NSRunLoop.m:1255
#13 0x0029d341 in -[GSDisplayServer(EventOps)
getEventMatchingMask:beforeDate:inMode:dequeue:] (self=0x8bb17c04,
_cmd=0x2a9b21d8, mask=429496729
at GSDisplayServer.m:999
#14 0x0a9d084e in __objc_xgcontextevent_linking () from
/usr/local/lib/GNUstep/Bundles/libgnustep-back-022.bundle/./libgnustep-back-022
#15 0x000e7dcf in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x86687084,
_cmd=0x2003e0e8, mask=4294967295, expiratio
at NSApplication.m:2173
#16 0x000e5afb in -[NSApplication run] (self=0x86687084, _cmd=0x20033ee8) at
NSApplication.m:1559
#17 0x000c4733 in NSApplicationMain (argc=1, argv=0xcfbccffc) at
Functions.m:95
#18 0x1c013cf4 in gnustep_base_user_main (argc=1, argv=0xcfbccffc) at
main.m:30
#19 0x004f341e in main (argc=1, argv=Cannot access memory at address 0x4
) at NSProcessInfo.m:984
#20 0x1c003037 in ___start (argc=1, argv=0xcfbccffc, envp=0xcfbcd004,
cleanup=0, obj=0x0, ps_strings=0xcfbfdff0) at /usr/src/lib/csu/i386/crt0.c
#21 0x1c002fb2 in _start () at /usr/src/lib/csu/i386/crt0.c:77
(gdb) frame 2
#2 0x005796a6 in -[NSXMLParser _parseEntity:] (self=0x8224e8a4,
_cmd=0x20464f38, result=0xcfbcc768) at NSXMLParser.m:1388
1388 if (sscanf((char *)ep+1, "x%x;", &val))
Current language: auto; currently minimal
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 18 Oct 2012 04:47:29 PM GMT Name: patch-Source_NSXMLParser_m Size:
918B By: buzzdee
<http://savannah.gnu.org/bugs/download.php?file_id=26787>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?37596>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #37596] NSXMLParser.m randomly crashes on parsing strings,
Sebastian Reitenbach <=