libwww bug with malformed URIs from Stefan Ulrich on 2001-06-23 (www-lib@w3.org from April to June 2001)

From: Stefan Ulrich <ulrich@cis.uni-muenchen.de>
Date: Sat, 23 Jun 2001 19:03:23 +0200
To: www-lib@w3.org
CC: janl@linpro.no
Message-Id: <200106231703.TAA03157@juno.localdomain>
Hi,

It seems there is a bug in libwww when using invalid URIs
(URIs missing an access scheme, like `test') as first argument
to `HTLoadToFile' like this:

    HTRequest *request = HTRequest_new();
    int status = HTLoadToFile("test", request, "/tmp/testa");
    HTRequest_delete(request);

The FILE * obtained for "/tmp/testa" is closed twice in this
case, leading to a segfault/stack corruption (I first observed
this with xdvik - see
http://sourceforge.net/tracker/?func=detail&atid=377580&aid=434836&group_id=23164).
This happens with Linux (RedHat 7.0, gcc 2.96) and libwww 5.3.2.

Here's a stack trace obtained with libefence:

ElectricFence Aborting: free(40832e94): address not from malloc().

Program received signal SIGILL, Illegal instruction.
[Switching to Thread 1024 (LWP 14211)]
0x400514e1 in __kill () from /lib/libc.so.6
(gdb) bt
#0  0x400514e1 in __kill () from /lib/libc.so.6
#1  0x400232ee in do_abort () at print.c:27
#2  0x400235f1 in EF_Abortv (pattern=0x400239c0 "free(%a): address not from malloc().", 
    args=0xbffff264) at print.c:137
#3  0x4002361f in EF_Abort (pattern=0x400239c0 "free(%a): address not from malloc().")
    at print.c:146
#4  0x40022ce9 in free (address=0x40832e94) at efence.c:749
#5  0x40092513 in _IO_new_fclose (fp=0x40832e94) at iofclose.c:87
#6  0x806f4ba in HTFWriter_free (me=0x40834ff4) at HTFWrite.c:65
#7  0x807c214 in HTRequest_delete (me=0x4083aee8) at HTReqMan.c:178
#8  0x8049a1e in main ()
#9  0x40040b65 in __libc_start_main (main=0x804996c <main>, argc=1, ubp_av=0xbffff3b4, 
    init=0x80492f0 <_init>, fini=0x80850bc <_fini>, rtld_fini=0x4000df24 <_dl_fini>, 
    stack_end=0xbffff3ac) at ../sysdeps/generic/libc-start.c:111


In HTLoadToFile (in HTAccess.c) the following happens:

    if ((fp = fopen(filename, "wb")) == NULL) {
        HTRequest_addError(request, ERR_FATAL, NO, HTERR_NO_FILE, 
    		           (char *) filename, strlen(filename),
    		           "HTLoadToFile"); 
        return NO;
    }

HTFWriter_new sets the `private' fp member of the HTStream object
to the fp returned by fopen():

    HTRequest_setOutputStream(request, HTFWriter_new(request, fp, NO));

HTLoadAbsolute returns NO (via launch_request (HTAccess.c),
HTLoad (HTReqMan.c), HTNet_newClient (HTNet.c)) in the following
line, so fp is closed for the first time:

    if (HTLoadAbsolute(url, request) == NO) {
        fclose(fp);
        /* FIX??? request->orig_output_stream = NULL; */
        return NO;
    } else
        return YES;

When the user later calls HTRequest_delete(request),
me->orig_output_stream (which is still the fp from above)
is closed for the second time (in HTReqMan.c):

    (*me->orig_output_stream->isa->_free)(me->orig_output_stream);

A possible fix might be to set `request->orig_output_stream' to
NULL (as indicated in the `FIX???' comment above), or maybe not
to fclose(fp) at all; but I'm not sure about how this fits into
the overall picture. Maybe someone who knows the library better
than me has a better approach for this ;-)

Best regards,
-- 
Stefan Ulrich
Received on Saturday, 23 June 2001 13:01:23 UTC