128)

Modestas Vainius Wed, 27 Dec 2006 13:14:56 -0800

Package: libneon26
Version: 0.26.2-3mdx1
Severity: grave
Tags: patch

Hi,


libneon26 ne_uri_parse() has severe problems parsing uris with non-ASCII
characters. Real world case is trying to save a document (example attached)
with openoffice.org-writer containing a hyperlink with non-ascii characters
in the web link. The above action leads to OOo segfault. Consider the gdb
session bellow (reproducable with the attached document, type a character
and attempt to resave the document):

(gdb) bt
#0  0x00002aaab35229e5 in ne_uri_parse (uri=0x1fd1328 "http://Ä\205.com/";, 
parsed=0x7fffc5e09660) at /tmp/buildd/neon26-0.26.2/src/ne_uri.c:179
#1  0x00002aaab33ddb4e in NeonUri () from 
/usr/lib/openoffice/program/libucpdav1.so
#2  0x00002aaab33b9a2a in Content () from 
/usr/lib/openoffice/program/libucpdav1.so
#3  0x00002aaab33b5a12 in webdav_ucp::ContentProvider::queryContent () from 
/usr/lib/openoffice/program/libucpdav1.so
#4  0x00002aaaab2602c3 in UniversalContentBroker::queryContent () from 
/usr/lib/openoffice/program/libucb1.so
#5  0x00002b95e55e8412 in (anonymous namespace)::normalizePrefix () from 
/usr/lib/openoffice/program/libsvt680lx.so
#6  0x00002b95e55e8972 in (anonymous namespace)::normalize () from 
/usr/lib/openoffice/program/libsvt680lx.so
#7  0x00002b95e55e9540 in URIHelper::normalizedMakeRelative () from 
/usr/lib/openoffice/program/libsvt680lx.so
#8  0x00002b95e55e9de3 in URIHelper::simpleNormalizedMakeRelative () from 
/usr/lib/openoffice/program/libsvt680lx.so
#9  0x00002aaaadeda6e2 in SvXMLExport::GetRelativeReference () from 
/usr/lib/openoffice/program/libxo680lx.so
#10 0x00002aaaadfc50fb in XMLTextParagraphExport::addHyperlinkAttributes () 
from /usr/lib/openoffice/program/libxo680lx.so
#11 0x00002aaaadfcea40 in XMLTextParagraphExport::exportTextRange () from 
/usr/lib/openoffice/program/libxo680lx.so
#12 0x00002aaaadfd35f5 in XMLTextParagraphExport::exportTextRangeEnumeration () 
from /usr/lib/openoffice/program/libxo680lx.so
#13 0x00002aaaadfd401b in XMLTextParagraphExport::exportParagraph () from 
/usr/lib/openoffice/program/libxo680lx.so
#14 0x00002aaaadfd2e2b in XMLTextParagraphExport::exportTextContentEnumeration 
() from /usr/lib/openoffice/program/libxo680lx.so
#15 0x00002aaaadfd54b2 in XMLTextParagraphExport::exportText () from 
/usr/lib/openoffice/program/libxo680lx.so
#16 0x00002aaab05af7a4 in SwXMLExport::_ExportContent () from 
/usr/lib/openoffice/program/libsw680lx.so
#17 0x00002aaaadedca6f in SvXMLExport::ImplExportContent () from 
/usr/lib/openoffice/program/libxo680lx.so
#18 0x00002aaaadee9ede in SvXMLExport::exportDoc () from 
/usr/lib/openoffice/program/libxo680lx.so
#19 0x00002aaab05ad8f8 in SwXMLExport::exportDoc () from 
/usr/lib/openoffice/program/libsw680lx.so
#20 0x00002aaaadedb220 in SvXMLExport::filter () from 
/usr/lib/openoffice/program/libxo680lx.so
#21 0x00002aaab05a96a3 in SwXMLWriter::WriteThroughComponent () from 
/usr/lib/openoffice/program/libsw680lx.so
#22 0x00002aaab05a9d4a in SwXMLWriter::WriteThroughComponent () from 
/usr/lib/openoffice/program/libsw680lx.so
#23 0x00002aaab05ab4af in SwXMLWriter::_Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#24 0x00002aaab05ac389 in SwXMLWriter::WriteMedium () from 
/usr/lib/openoffice/program/libsw680lx.so
#25 0x00002aaab04e3f58 in StgWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#26 0x00002aaab05a903b in SwXMLWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#27 0x00002aaab04248f3 in SwWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#28 0x00002aaab05f19b9 in SwDocShell::SaveAs () from 
/usr/lib/openoffice/program/libsw680lx.so
#29 0x00002aaaab8e8f67 in SfxObjectShell::SaveAsOwnFormat () from 
/usr/lib/openoffice/program/libsfx680lx.so
#30 0x00002aaaab8f77ad in SfxObjectShell::SaveTo_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#31 0x00002aaaab8f92b0 in SfxObjectShell::DoSave_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#32 0x00002aaaab8f9668 in SfxObjectShell::Save_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#33 0x00002aaaab9509b7 in SfxBaseModel::storeSelf () from 
/usr/lib/openoffice/program/libsfx680lx.so
#34 0x00002aaaab9688cf in SfxStoringHelper::GUIStoreModel () from 
/usr/lib/openoffice/program/libsfx680lx.so
#35 0x00002aaaab900ccc in SfxObjectShell::ExecFile_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#36 0x00002aaaab9baeff in SfxDispatcher::Call_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#37 0x00002aaaab9bb651 in SfxDispatcher::PostMsgHandler () from 
/usr/lib/openoffice/program/libsfx680lx.so
#38 0x00002aaaab9e702a in SfxHintPoster::LinkStubDoEvent_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#39 0x00002b95e5042958 in ImplWindowFrameProc () from 
/usr/lib/openoffice/program/libvcl680lx.so
#40 0x00002b95eb34ad45 in SalDisplay::DispatchInternalEvent () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#41 0x00002b95eb34ad6e in SalX11Display::Yield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#42 0x00002b95eb34ab57 in DisplayYield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#43 0x00002b95eb342c3f in SalXLib::Yield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#44 0x00002b95e4e7a330 in Application::Yield () from 
/usr/lib/openoffice/program/libvcl680lx.so
#45 0x00002b95e4e7a3c7 in Application::Execute () from 
/usr/lib/openoffice/program/libvcl680lx.so
#46 0x0000000000429020 in desktop::Desktop::Main ()
#47 0x00002b95e4e7fcc4 in ImplSVMain () from 
/usr/lib/openoffice/program/libvcl680lx.so
#48 0x00002b95e4e7fdb5 in SVMain () from 
/usr/lib/openoffice/program/libvcl680lx.so
#49 0x000000000041c02a in sal_main ()
#50 0x00002b95e7a564ca in __libc_start_main () from /lib/libc.so.6
#51 0x000000000041bf5a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) info locals
pa = 0x1fd1335 "/"
p = 0x1fd132f "Ä\205.com/"
s = 0x1fd132f "Ä\205.com/"
(gdb) list
174             while (*pa != '/' && *pa != '\0')
175                 pa++;
176             /* => pa = path-abempty */
177
178             p = s;
179             while (p < pa && uri_lookup(*p) & URI_USERINFO)
180                 p++;
181
182             if (*p == '@') {
183                 parsed->userinfo = ne_strndup(s, p - s);
(gdb) p uri_chars[(unsigned)*p]
Cannot access memory at address 0x2aaeb3532fb0
(gdb) p (unsigned)*p
$1 = 4294967236
(gdb) ptype unsigned
type = unsigned int

uri_lookup macro should cast the value to unsigned char instead of
unsigned because unsigned implies unsigned int. The patch fixing this
bug is attached.

In addition, my patch adds DEB_BUILD_OPTIONS noopt support which was
useful while debugging this bug.

P.S. For some reason, OOo does not crash in my i386 chroot. I don't know
why since the bug is clearly arch independent.


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=lt_LT, LC_CTYPE=lt_LT (charmap=ISO-8859-13)

Versions of packages libneon26 depends on:
ii  libc6    2.3.6.ds1-9                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii  libkrb53 1.4.4-5                         MIT Kerberos runtime libraries
ii  libssl0. 0.9.8c-4                        SSL shared libraries
ii  libxml2  2.6.27.dfsg-1                   GNOME XML library
ii  zlib1g   1:1.2.3-13                      compression library - runtime

libneon26 recommends no packages.

-- no debconf information

ne_uri_parser_segfault_testcase.odt
Description: Zip archive

diff -uNr neon26-0.26.2/debian/changelog neon26-0.26.2.new/debian/changelog
--- neon26-0.26.2/debian/changelog      2006-12-27 22:43:11.000000000 +0200
+++ neon26-0.26.2.new/debian/changelog  2006-12-27 22:18:19.000000000 +0200
@@ -1,3 +1,12 @@
+neon26 (0.26.2-3mdx1) unstable; urgency=high
+
+  * Support "noopt" in DEB_BUILD_OPTIONS
+  * src/ne_uri.c uri_lookup(ch) macro: (unsigned) == (unsigned int), thus if
+    the macro is given a negative argument, the array is referenced beyond
+    bounds resulting in a SIGSERV.
+
+ -- Modestas Vainius <[EMAIL PROTECTED]>  Wed, 27 Dec 2006 21:32:55 +0200
+
 neon26 (0.26.2-3) unstable; urgency=medium
 
   * Fix FTBFS caused by my previous upload, patch didn't apply on 64 bit
diff -uNr neon26-0.26.2/debian/rules neon26-0.26.2.new/debian/rules
--- neon26-0.26.2/debian/rules  2006-12-27 22:43:11.000000000 +0200
+++ neon26-0.26.2.new/debian/rules      2006-12-27 21:32:45.000000000 +0200
@@ -16,7 +16,11 @@
                --enable-threadsafe-ssl=posix   \
                --with-gssapi                   \
                --with-libxml2
-CFLAGS="-O2 -g"
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+    CFLAGS="-O0 -g -Wall"
+else
+    CFLAGS="-O2 -g"
+endif
 
 ${BUILDDIR}/neon-openssl/config.status: configure
        cp  /usr/share/misc/config.guess \
diff -uNr neon26-0.26.2/src/ne_uri.c neon26-0.26.2.new/src/ne_uri.c
--- neon26-0.26.2/src/ne_uri.c  2006-10-05 15:40:46.000000000 +0300
+++ neon26-0.26.2.new/src/ne_uri.c      2006-12-27 22:18:38.000000000 +0200
@@ -110,7 +110,7 @@
 /*   Fx */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT
 };
 
-#define uri_lookup(ch) (uri_chars[(unsigned)ch])
+#define uri_lookup(ch) (uri_chars[(unsigned char)ch])
 
 char *ne_path_parent(const char *uri) 
 {

Bug#404723: src/ne_uri.c:ne_uri_parse():179 (uri_lookup(x) macro) - SIGSERV when parsing a non-ASCII character (>128)

Reply via email to