tech@mandoc.bsd.lv
 help / color / mirror / Atom feed
From: Ingo Schwarze <schwarze@usta.de>
To: Stephen Gregoratto <dev@sgregoratto.me>
Cc: tech@mandoc.bsd.lv
Subject: Re: [docbook2mdoc] Segfault encountering href attr in xml preamble(s)
Date: Sat, 20 Apr 2019 06:28:41 +0200	[thread overview]
Message-ID: <20190420042841.GA45166@athene.usta.de> (raw)
In-Reply-To: <20190419042833.r5h33msa4h3pbej5@BlackBox>

Hi Stephen,

Stephen Gregoratto wrote on Fri, Apr 19, 2019 at 02:28:33PM +1000:

> I tried testing the new 1.0.0 release on some of my files and came 
> across this bug. Some refentry files encode their chosen xsl stylesheet 
> by putting it in the file itself. I believe this is to help converters 
> like xmlto(1). The format is:
> 
> <?xml-stylesheet type="text/xsl"
>    href="http://foo.tld/bar.xsl"?>
> 
> When docbook2mdoc encounters the href attribute, it eventually calls 
> xml_attrkey() in parse.c, failing in the TAILQ_INSERT_TAIL macro.

Good analysis, thanks.

Calling xml_attrkey() is still fine.
The string "<?xml-stylesheet" is supposed to be interpreted as the
beginning of an element; docbook2mdoc doesn't really distinguish
between XML elements and XML processing instructions.  And the
string "href=" is supposed to be interpreted as the beginning of
an attribute.

But inside xml_attrkey(), no processing should be done because
an unknown element does not generate a node in the node tree,
so there is no node that the attribute could be inserted into.

I think i broke this when making the NODE_* enum constants in node.h
more fine-grained, specifically when distinguishing NODE_UNKNOWN
and NODE_IGNORE.

Fixed with the commit below.

Yours,
  Ingo


Log Message:
-----------
do not crash by trying to insert an attribute into a non-existent node;
segfault reported by Stephen Gregoratto <dev at sgregoratto dot me>

Modified Files:
--------------
    docbook2mdoc:
        parse.c

Revision Data
-------------
Index: parse.c
===================================================================
RCS file: /home/cvs/mdocml/docbook2mdoc/parse.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -Lparse.c -Lparse.c -u -p -r1.46 -r1.47
--- parse.c
+++ parse.c
@@ -553,7 +553,7 @@ xml_attrkey(struct parse *p, const char 
 	const char	*value;
 	enum attrkey	 key;
 
-	if (p->del > 0 || p->ncur == NODE_IGNORE || *name == '\0')
+	if (p->del > 0 || p->ncur >= NODE_UNKNOWN || *name == '\0')
 		return;
 
 	if ((p->ncur == NODE_DOCTYPE || p->ncur == NODE_ENTITY) &&
@@ -590,7 +590,7 @@ xml_attrval(struct parse *p, const char 
 {
 	struct pattr	*a;
 
-	if (p->del > 0 || p->ncur == NODE_IGNORE ||
+	if (p->del > 0 || p->ncur >= NODE_UNKNOWN ||
 	    (p->flags & PFLAG_ATTR) == 0)
 		return;
 	if ((a = TAILQ_LAST(&p->cur->attrq, pattrq)) == NULL)
--
 To unsubscribe send an email to tech+unsubscribe@mandoc.bsd.lv

      reply	other threads:[~2019-04-20  4:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-19  4:28 Stephen Gregoratto
2019-04-20  4:28 ` Ingo Schwarze [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190420042841.GA45166@athene.usta.de \
    --to=schwarze@usta.de \
    --cc=dev@sgregoratto.me \
    --cc=tech@mandoc.bsd.lv \
    --subject='Re: [docbook2mdoc] Segfault encountering href attr in xml preamble(s)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).