[bug] Segmentation Fault #588
Comments
|
@MayfeelYang, can you provide an input file that causes this? |
|
@balthisar I have send an email to you. |
|
@MayfeelYang, which platform are you running on? With ASan enabled on macOS (64-bit), the sample file isn't generating any runtime faults for me. I am using current next branch, but I don't see any commits going back to 5.5.30 that would have addressed this. |
Environment:Operating System:Reproducing: gccException: gccReproducing: clangException: clang |
|
@MayfeelYang thank you for reporting a bug that shows up when using the And I can certainly repeat it in linux, using the sample file you supplied... that is for sure a nasty file, but certainly tidy should not have a problem... While not exactly the same topic, I made a WIN32 fix in issue #352 for this... specifically my comment-299720449... but then only for As stated there, the Windows MSN documentation is quite clear that the service Maybe it is the same or similar in some linux implementations... and @balthisar, maybe the macOS (64-bit) runtime libraries do not have this problem... are you building the The cmake command line I use in linux is - The adding of I am still on vacation until mid Sept, but just briefly back at my machines, so prepared the following patch - diff --git a/src/attrs.c b/src/attrs.c
index a4cb379..bda6f01 100644
--- a/src/attrs.c
+++ b/src/attrs.c
@@ -1475,14 +1475,15 @@ static void CheckLowerCaseAttrValue( TidyDocImpl* doc, Node *node, AttVal *attva
}
/* methods for checking value of a specific attribute */
-#ifdef _WIN32
+/* Issue #588 - use simple macros only!
+ Seems 'isalnum(c)' is undefined and can
+ cause an assert or a SIGSEGV in some libraries
+ if 'c' is not EOF, or in the range 0 to 0xff,
+ so avoid using it. */
#define ISUPPER(a) ((a >= 'A') && (a <= 'Z'))
#define ISLOWER(a) ((a >= 'a') && (a <= 'z'))
#define ISNUMERIC(a) ((a >= '0') && (a <= '9'))
#define ISALNUM(a) (ISUPPER(a) || ISLOWER(a) || ISNUMERIC(a))
-#else
-#define ISALNUM(a) isalnum(a)
-#endif
static Bool IsURLCodePoint( ctmbstr p, uint *increment )
{As suggested back in #352, the use of these simple macros should work in all cases... @MayfeelYang hope you get a chance to try this patch... it certainly fixes the problem in my linux machine... thanks... |
|
Please use CVE-2017-13692 for this issue. |
|
Has anyone had a chance to test my patch... namely use only the macro in place of @fgeek thanks for the CVE-2017-13692 link, but I will leave others to deal with that... |
|
@geoffmcl What do you mean by deal with that? I just linked it here so that upstream is aware of the CVE identifier. I did not request it. Just cross-referencing from the CVE database. |
|
@fgeek as stated, thanks for the cross-reference, but will leave others, probably the person who opened it, to deal with that... What I need here is someone to test and confirm the patch is good so I can push it as a fix... thanks... |
|
@geoffmcl I have tested and confirmed the patch, it's good. |
|
Merged, so closing. |
Description
This crash occurs at attrs.c:1492. In function
ISURLCodePoint, the variablecequals to 712380 (in this case). When functionISALNUM(c)is called, it can cause Segmentation Fault.Version
Address Sanitizer Output
GDB Information
PoC
Contact me if you need Poc file at [email protected] or [email protected]
The text was updated successfully, but these errors were encountered: