Bug 146433

Summary: links - segmentation fault
Product: [Fedora] Fedora Reporter: Michal Jaegermann <michal>
Component: elinksAssignee: Karel Zak <kzak>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-28 18:38:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Jaegermann 2005-01-28 05:11:22 UTC
Description of problem:

In November 2004 showed up this report
http://www.securityfocus.com/archive/1/378632
In particular links_die1.html from 'gallery' in 'mangleme',
http://lcamtuf.coredump.cx/soft/mangleme.tgz
still is causing the following with the current version in FC3:

ERROR at memory.c:26: Out of memory (calloc returned NULL): retry #1,
I still exercise my patience and retry tirelessly.
ERROR at memory.c:26: Out of memory (calloc returned NULL): retry #2,
I still exercise my patience and retry tirelessly.
ERROR at memory.c:38: Out of memory (calloc returned NULL) after 3
tries, I give up and try to continue. Pray for me, please.

ELinks crashed. That shouldn't happen.
.....

links(dump_backtrace+0x2d)[0x48445d]
links[0x44cf1e]
/lib64/tls/libc.so.6[0x307702e570]
links[0x439876]
links(format_table+0x2af)[0x43b8ff]
links(parse_html+0xca8)[0x431678]
links(format_html_part+0x226)[0x437546]
links(render_html_document+0x1cf)[0x437cdf]
links(render_document+0x3fe)[0x429d4e]
links(render_document_frames+0x15c)[0x429f7c]
links(draw_formatted+0x1eb)[0x41a7db]
links(display_timer+0x1e)[0x4456de]
links(end_load+0x3cb)[0x44779b]
links[0x4403c1]
links[0x4407ee]
links(abort_connection+0x2f)[0x440fff]
links[0x4572c2]
links(check_queue+0x190)[0x4412b0]
links(do_check_bottom_halves+0x36)[0x44a676]
links(select_loop+0x56d)[0x44b19d]
Aborted

In gdb one can see:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000439876 in render_html_document ()
(gdb) bt
#0  0x0000000000439876 in render_html_document ()
#1  0x000000000043b8ff in format_table ()
#2  0x0000000000431678 in parse_html ()
#3  0x0000000000437546 in format_html_part ()
#4  0x0000000000437cdf in render_html_document ()
#5  0x0000000000429d4e in render_document ()
#6  0x0000000000429f7c in render_document_frames ()
#7  0x000000000041a7db in draw_formatted ()
#8  0x00000000004456de in display_timer ()
#9  0x000000000044779b in end_load ()
#10 0x00000000004403c1 in connect_info ()
#11 0x00000000004407ee in set_connection_state ()
#12 0x0000000000440fff in abort_connection ()
#13 0x00000000004572c2 in get_user_program ()
#14 0x00000000004412b0 in check_queue ()
#15 0x000000000044a676 in do_check_bottom_halves ()
#16 0x000000000044b19d in select_loop ()
#17 0x000000000040fe85 in main ()

Version-Release number of selected component (if applicable):
elinks-0.9.2-2

How reproducible:
100%

Comment 1 Michal Jaegermann 2005-01-28 05:12:38 UTC
See also bug #137630.

Comment 2 Michal Jaegermann 2005-01-28 21:10:21 UTC
Changelog for 0.9.1-1.1 says 
"limit rowspan/colspan values prevents crashes reported at
http://www.securityfocus.com/archive/1/378632"
Er..,, this was just an example.  Did you try to run
'mangleme', as described in its documentation, and nothing spooks
elinks anymore?