Package: links Version: 0.99+1.00pre12-1 The following HTML declaration makes links to crash due to a segmentation fault:
<META HTTP-EQUIV="&top"> Granted, the sample is not exactly sensible HTML, but crashing is still a rather severe effect (and this can probably be triggered by other values), so I thought to report this anyway. I fetched the source package and built it myself to get more debug information, then gave this a brief check with gdb. The reason for the crash seems to be that the "to" parameter passed to u2cp function is in this case not initialized and as it is used in the function as an array index, bad things unsurprisingly do happen. Actually, it looked to me like the value that will be passed to u2cp as "to" parameter might always be uninitialized while handling http-equiv, but usually we just don't end up in the u2cp and thus do not crash. The GDB backtrace lists the relevant functions nicely (the interesting bits are #0-#6): #0 0x08051e67 in u2cp (u=8868, to=135447896) at charsets.c:102 #1 0x080529d5 in convert_string (ct=0x0, c=0x812da80 "&top", l=4) at charsets.c:343 #2 0x08061b84 in get_attr_val (e=0x812da80 "&top", name=0x80ac0a5 "http-equiv") at html.c:148 #3 0x0806ab28 in scan_http_equiv ( s=0x812c8e2 "\n</HEAD>\n<BODY>\n</BODY>\n</HTML>", eof=0x812c901 "", head=0xbfe82a18, hdl=0xbfe82a14, title=0xbfe82a10) at html.c:2458 #4 0x0806dcad in format_html (ce=0x0, screen=0x812d938) at html_r.c:987 #5 0x0806e3d4 in cached_format_html (vs=0x80a7ef7, screen=0x81272d8, opt=0xbfe82a90) at html_r.c:1156 #6 0x0806ebd3 in html_interpret (ses=0x812c558) at html_r.c:1304 #7 0x0808cb0e in display_timer (ses=0x812c558) at session.c:1040 #8 0x0808cd66 in end_load (stat=0x812c580, ses=0x812c558) at session.c:1087 #9 0x08083c18 in send_connection_info (c=0x812c670) at sched.c:225 #10 0x08083c4e in del_connection (c=0x812c670) at sched.c:230 #11 0x0808458d in abort_connection (c=0x0) at sched.c:428 #12 0x0805aed5 in file_func (c=0x812c670) at file.c:228 #13 0x0808440a in run_connection (c=0x812c670) at sched.c:405 #14 0x08084618 in try_connection (c=0x812c670) at sched.c:448 #15 0x08084865 in check_queue () at sched.c:506 #16 0x08085d90 in check_bottom_halves () at select.c:92 #17 0x08086a20 in select_loop (init=0x807bf50 <init>) at select.c:367 #18 0x0807c38d in main (argc=406343688, argv=0x0) at main.c:353 I tried this on both Sarge and Etch with identical results. Then again, that's not surprising, as both appear share the same version of Links. Though probably not relevant, the Sarge installation has the following kernel/libc6: 2.6.15.7 kernel, self-built libc6: 2.3.2.ds1-22sarge4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
