tech@mandoc.bsd.lv
 help / color / mirror / Atom feed
* mandoc 1.14.3 segfault
@ 2017-08-12 10:27 Michael Stapelberg
  2017-08-12 10:57 ` Jan Stary
  2017-09-06 16:30 ` Ingo Schwarze
  0 siblings, 2 replies; 4+ messages in thread
From: Michael Stapelberg @ 2017-08-12 10:27 UTC (permalink / raw)
  To: tech

[-- Attachment #1: Type: text/plain, Size: 7964 bytes --]

Hey,

I’m running into a segfault with mandoc 1.14.3. Steps to reproduce and full
backtrace follow below. Please let me know if you need anything else, and
thanks in advance for taking a look:

% curl https://manpages.debian.org/stretch/tcpreplay/tcprewrite.1.en.gz |
mandoc -Thtml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                 Dload  Upload   Total   Spent    Left
 Speed
100 16621    0 16621    0     0  18902      0 --:--:-- --:--:-- --:--:--
18887
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8"/>
  <style>
    table.head, table.foot { width: 100%; }
    td.head-rtitle, td.foot-os { text-align: right; }
    td.head-vol { text-align: center; }
    div.Pp { margin: 1ex 0ex; }
  </style>
  <title>TCPREWRITE(1)</title>
</head>
<body>
<table class="head">
  <tr>
    <td class="head-ltitle">TCPREWRITE(1)</td>
    <td class="head-vol">Programmer's Manual</td>
    <td class="head-rtitle">TCPREWRITE(1)</td>
  </tr>
</table>
<div class="manual-text">
<h1 class="Sh" title="Sh" id="NAME"><a class="selflink"
href="#NAME">NAME</a></h1>
tcprewrite - Rewrite the packets in a pcap file.
<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink"
href="#SYNOPSIS">SYNOPSIS</a></h1>
<b>tcprewrite</b> [<b>-<i>flag</i></b> [<i>value</i>]]...
  [<b>--<i>opt-name</i></b> [[=| ]<i>value</i>]]...
<div class="Pp"></div>
All arguments must be options.
<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink"
href="#DESCRIPTION">DESCRIPTION</a></h1>
This manual page briefly documents the <b>tcprewrite</b> command.
Tcprewrite is
  a tool to rewrite packets stored in <i>pcap(3)</i> file format, such as
crated
  by tools such as <i>tcpdump(1)</i> and <i>ethereal(1)</i>. Once a pcap
file
  has had it's packets rewritten, they can be replayed back out on the
network
  using <i>tcpreplay(1)</i>.
<div style="height: 1.00em;">&#x00A0;</div>
tcprewrite currently supports reading the following DLT types:
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_C_HDLC</b> aka Cisco HDLC
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_EN10MB</b> aka Ethernet
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_LINUX_SLL</b> aka Linux Cooked Socket
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_RAW</b> aka RAW IP
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_NULL</b> aka BSD Loopback
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_LOOP</b> aka OpenBSD Loopback
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_IEEE802_11</b> aka 802.11a/b/g
<div style="height: 1.00em;">&#x00A0;</div>
<b>DLT_IEEE802_11_RADIO</b> aka 802.11a/b/g with Radiotap headers
<div style="height: 1.00em;">&#x00A0;</div>
Please see the --dlt option for supported DLT types for writing.
<div style="height: 1.00em;">&#x00A0;</div>
The packet editing features of tcprewrite which distinguish between
  &quot;client&quot; and &quot;server&quot; traffic requires a tcpprep(1)
cache
  file.
<div style="height: 1.00em;">&#x00A0;</div>
For more details, please see the Tcpreplay Manual at:
  http://tcpreplay.synfin.net/trac/wiki/manual
<h1 class="Sh" title="Sh" id="OPTIONS"><a class="selflink"
href="#OPTIONS">OPTIONS</a></h1>
zsh: done                              curl
https://manpages.debian.org/stretch/tcpreplay/tcprewrite.1.en.gz |
zsh: segmentation fault (core dumped)  mandoc -Thtml


% gdb =mandoc core
Reading symbols from /usr/bin/mandoc...Reading symbols from
/usr/lib/debug/.build-id/05/d31ff6a59b9781107cf5670079cfec1af6cada.debug...done.
done.
[New LWP 26130]
Core was generated by `mandoc -Thtml'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000559dfe7fd32c in html_make_id (n=<optimized out>) at html.c:256
256 for (cp = buf; *cp != '\0'; cp++)
gdb $ backtrace full
#0  0x0000559dfe7fd32c in html_make_id (n=<optimized out>) at html.c:256
        nch = <optimized out>
        buf = 0x0
        cp = 0x0
#1  0x0000559dfe7ff751 in man_SS_pre (man=<optimized out>, n=<optimized
out>, h=0x559dff5d08a0) at man_html.c:492
        id = <optimized out>
        man = <optimized out>
        h = 0x559dff5d08a0
        n = <optimized out>
#2  0x0000559dfe7ff0f4 in print_man_node (man=0x559dff5d0750,
n=0x559dff5ea490, h=0x559dff5d08a0) at man_html.c:316
        want_fillmode = 385
        save_fillmode = 0
        t = 0x559dff5d4d50
        child = 1
        __PRETTY_FUNCTION__ = "print_man_node"
#3  0x0000559dfe7ff256 in print_man_nodelist (h=<optimized out>,
n=0x559dff5ea490, man=<optimized out>) at man_html.c:180
No locals.
#4  print_man_node (man=0x559dff5d0750, n=0x559dff5ea3f0, h=0x559dff5d08a0)
at man_html.c:326
        want_fillmode = 385
        save_fillmode = 0
        t = 0x559dff5d4d50
        child = <optimized out>
        __PRETTY_FUNCTION__ = "print_man_node"
#5  0x0000559dfe7ff256 in print_man_nodelist (h=<optimized out>,
n=0x559dff5ea3f0, man=<optimized out>) at man_html.c:180
No locals.
#6  print_man_node (man=0x559dff5d0750, n=0x559dff5ea350, h=0x559dff5d08a0)
at man_html.c:326
        want_fillmode = 385
        save_fillmode = 0
        t = 0x559dff5d4d50
        child = <optimized out>
        __PRETTY_FUNCTION__ = "print_man_node"
#7  0x0000559dfe7ff256 in print_man_nodelist (h=<optimized out>,
n=0x559dff5ea350, man=<optimized out>) at man_html.c:180
No locals.
#8  print_man_node (man=0x559dff5d0750, n=0x559dff5ea150, h=0x559dff5d08a0)
at man_html.c:326
        want_fillmode = 385
        save_fillmode = 0
        t = 0x559dff5d4d50
        child = <optimized out>
        __PRETTY_FUNCTION__ = "print_man_node"
#9  0x0000559dfe7ffade in print_man_nodelist (h=0x559dff5d08a0,
n=0x559dff5ea150, man=0x559dff5d0750) at man_html.c:180
No locals.
#10 html_man (arg=0x559dff5d08a0, man=0x559dff5d0750) at man_html.c:157
        h = 0x559dff5d08a0
        t = 0x559dff5d4d50
#11 0x0000559dfe816f1e in parse (curp=0x7ffde46ce240, fd=0,
file=0x559dfe8393e1 "<stdin>") at main.c:801
        rctmp = MANDOCLEVEL_OK
        man = 0x559dff5d0750
        __PRETTY_FUNCTION__ = "parse"
#12 0x0000559dfe7fc1a8 in main (argc=<optimized out>, argv=<optimized out>)
at main.c:466
        conf = {
          output = {
            includes = 0x0,
            man = 0x0,
            paper = 0x0,
            style = 0x0,
            indent = 0,
            width = 0,
            fragment = 0,
            mdoc = 0,
            synopsisonly = 0,
            noval = 0
          },
          manpath = {
            paths = 0x0,
            sz = 0
          }
        }
        search = {
          arch = 0x0,
          sec = 0x0,
          outkey = 0x559dfe836fc0 "Nd",
          argmode = ARG_FILE,
          firstmatch = 0
        }
        curp = {
          mp = 0x559dff5d0020,
          outopts = 0x7ffde46ce270,
          outdata = 0x559dff5d08a0,
          os_s = 0x0,
          wstop = 0,
          mmin = MANDOCERR_MAX,
          os_e = MANDOC_OS_OTHER,
          outtype = OUTT_HTML
        }
        tag_files = 0x0
        res = 0x0
        resp = <optimized out>
        progname = <optimized out>
        sec = <optimized out>
        thisarg = <optimized out>
        conf_file = 0x0
        defpaths = 0x0
        auxpaths = 0x0
        oarg = <optimized out>
        uc = <optimized out>
        i = <optimized out>
        sz = 0
        prio = <optimized out>
        best_prio = <optimized out>
        outmode = <optimized out>
        fd = <optimized out>
        show_usage = 0
        options = <optimized out>
        use_pager = <optimized out>
        status = 0
        signum = <optimized out>
        c = <optimized out>
        pager_pid = <optimized out>
        tc_pgid = <optimized out>
        man_pgid = <optimized out>
        pid = <optimized out>


-- 
Best regards,
Michael

[-- Attachment #2: Type: text/html, Size: 12002 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: mandoc 1.14.3 segfault
  2017-08-12 10:27 mandoc 1.14.3 segfault Michael Stapelberg
@ 2017-08-12 10:57 ` Jan Stary
  2017-08-29  7:04   ` Michael Stapelberg
  2017-09-06 16:30 ` Ingo Schwarze
  1 sibling, 1 reply; 4+ messages in thread
From: Jan Stary @ 2017-08-12 10:57 UTC (permalink / raw)
  To: tech

On Aug 12 12:27:32, stapelberg@debian.org wrote:
> I’m running into a segfault with mandoc 1.14.3. Steps to reproduce and full
> backtrace follow below. Please let me know if you need anything else, and
> thanks in advance for taking a look:
> 
> % curl https://manpages.debian.org/stretch/tcpreplay/tcprewrite.1.en.gz |
> mandoc -Thtml

The curl pipe apparenly has nothing to do with it,
I can reproduce the sgfault locally with

	mandoc -Thtml tcprewrite.1.en.gz

Note that the gzip file is not a gzip file.
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: mandoc 1.14.3 segfault
  2017-08-12 10:57 ` Jan Stary
@ 2017-08-29  7:04   ` Michael Stapelberg
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Stapelberg @ 2017-08-29  7:04 UTC (permalink / raw)
  To: tech

Any news on this issue? This is blocking upgrading manpages.debian.org
to the new mandoc release.

On Sat, Aug 12, 2017 at 12:57 PM, Jan Stary <hans@stare.cz> wrote:
> On Aug 12 12:27:32, stapelberg@debian.org wrote:
>> Ib
>> backtrace follow below. Please let me know if you need anything else, and
>> thanks in advance for taking a look:
>>
>> % curl https://manpages.debian.org/stretch/tcpreplay/tcprewrite.1.en.gz |
>> mandoc -Thtml
>
> The curl pipe apparenly has nothing to do with it,
> I can reproduce the sgfault locally with
>
>         mandoc -Thtml tcprewrite.1.en.gz
>
> Note that the gzip file is not a gzip file.
> --
>  To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv
>



-- 
Best regards,
Michael
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: mandoc 1.14.3 segfault
  2017-08-12 10:27 mandoc 1.14.3 segfault Michael Stapelberg
  2017-08-12 10:57 ` Jan Stary
@ 2017-09-06 16:30 ` Ingo Schwarze
  1 sibling, 0 replies; 4+ messages in thread
From: Ingo Schwarze @ 2017-09-06 16:30 UTC (permalink / raw)
  To: Michael Stapelberg; +Cc: tech

Hi Michael,

Michael Stapelberg wrote on Sat, Aug 12, 2017 at 12:27:32PM +0200:

> I'm running into a segfault with mandoc 1.14.3.

Sorry for the delay, i got distracted by xlocale support in our libc.

I just committed the patch below.

Given that

  .SS ""

is quite exotic (and nonsensical), i consider the issue minor
and not requiring an emergency release.

Thanks for both the report and the reminder!

Yours,
  Ingo


Log Message:
-----------
fix a NULL pointer access on deroff() failure;
could be triggered with '.SS ""';
reported by Michael <Stapelberg at debian>

Modified Files:
--------------
    mandoc:
        html.c

Revision Data
-------------
Index: html.c
===================================================================
RCS file: /home/cvs/mandoc/mandoc/html.c,v
retrieving revision 1.219
retrieving revision 1.220
diff -Lhtml.c -Lhtml.c -u -p -r1.219 -r1.220
--- html.c
+++ html.c
@@ -250,6 +250,8 @@ html_make_id(const struct roff_node *n)
 
 	buf = NULL;
 	deroff(&buf, n);
+	if (buf == NULL)
+		return NULL;
 
 	/* http://www.w3.org/TR/html5/dom.html#the-id-attribute */
 
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-09-06 16:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-12 10:27 mandoc 1.14.3 segfault Michael Stapelberg
2017-08-12 10:57 ` Jan Stary
2017-08-29  7:04   ` Michael Stapelberg
2017-09-06 16:30 ` Ingo Schwarze

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).