Bug 458602 - w3m segfaults for some inputs
w3m segfaults for some inputs
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: w3m (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Parag Nemade
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-10 15:58 EDT by Michal Jaegermann
Modified: 2009-04-24 00:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-24 00:22:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2008-08-10 15:58:47 EDT
Description of problem:

This is a sample of file which cauases w3m to segfault:
/usr/share/doc/sane-backends-1.0.19/sane-mfgs.html
from sane-backends-1.0.19-10.fc9 package.

On an attempts to show located at the top of the file in
question http://www.sane-project.org/images/sane.png
w3m invariably segfaults; at least on an x86_64 installation.
This does not happen in setting where a display of this image
is not attempted.

When core files are allowed and with w3m-debuginfo loaded gdb
gives the following backtrace from a resulting core:

Core was generated by `w3m sane-mfgs.html'.
Program terminated with signal 11, Segmentation fault.
[New process 18576]
....
(gdb) where
#0  0x0000003c1fc1cb60 in GC_malloc_atomic () from /usr/lib64/libgc.so.1
#1  0x00000000004384e2 in check_table_width (t=0x19bf320, newwidth=0x27de480,
    minv=0x27e7520, itr=1) at table.c:1242
#2  0x0000000000439e30 in renderTable (t=0x19bf320,
    max_width=<value optimized out>, h_env=0x7fff655a4e40) at table.c:1770
#3  0x000000000041e1b9 in HTMLlineproc0 (line=0x2799a08 "\n",
    h_env=0x7fff655a4e40, internal=0) at file.c:6221
#4  0x0000000000423aef in loadHTMLstream (f=0x7fff655a5350, newBuf=0x14307e0,
    src=0x0, internal=0) at file.c:6998
#5  0x0000000000423f78 in loadHTMLBuffer (f=0x7fff655a5350, newBuf=0x14307e0)
    at file.c:6550
#6  0x0000000000429d1b in reshapeBuffer (buf=0x14307e0) at buffer.c:562
#7  0x000000000042c1fa in displayBuffer (buf=0x3c1fe24e50, mode=0)
    at display.c:386
#8  0x000000000044b3fd in loadImage (buf=0x14307e0, flag=2) at image.c:424
#9  0x00000000004112bd in main (argc=<value optimized out>,
    argv=<value optimized out>, envp=<value optimized out>) at main.c:1129
(gdb) f 1
#1  0x00000000004384e2 in check_table_width (t=0x19bf320, newwidth=0x27de480,
    minv=0x27e7520, itr=1) at table.c:1242
1242        Sxx = NewAtom_N(double, cell->maxcell + 1);
(gdb) list
1237            for (m = 0; m < i; m++) {
1238                stotal += 2 * m_entry(minv, i, m);
1239            }
1240        }
1241
1242        Sxx = NewAtom_N(double, cell->maxcell + 1);
1243        for (k = 0; k <= cell->maxcell; k++) {
1244            j = cell->index[k];
1245            bcol = cell->col[j];
1246            ecol = bcol + cell->colspan[j];
(gdb) p cell
No symbol "cell" in current context.

Version-Release number of selected component (if applicable):
w3m-0.5.2-10.fc9.x86_64
w3m-img-0.5.2-10.fc9.x86_64

How reproducible:
always

Additional info:
I do not know if this is the case also for i386
Comment 1 Parag Nemade 2008-09-08 07:27:19 EDT
(In reply to comment #0)
> Description of problem:
> 
> On an attempts to show located at the top of the file in
> question http://www.sane-project.org/images/sane.png
> w3m invariably segfaults; at least on an x86_64 installation.
> This does not happen in setting where a display of this image
> is not attempted.

   So does that mean if you take your curosr to "SANE" image then w3m segfaults? Can you give some more steps to reproduce this?
Also, how are you testing segfault when you are not even taking cursor over "SANE" which means no image will be shown?
Comment 2 Michal Jaegermann 2008-09-08 12:39:45 EDT
> So does that mean if you take your curosr to "SANE" image
> then w3m segfaults?

No, nothing of that sort.

The following packages are installed at this moment:
w3m-0.5.2-10.fc9.x86_64
w3m-img-0.5.2-10.fc9.x86_64
w3m-debuginfo-0.5.2-10.fc9.x86_64

With a machine connected to the net after I will type
in a gnome-terminal (some kind of a graphic capability
is required, I guess) this:

w3m /usr/share/doc/sane-backends-1.0.19/sane-mfgs.html

and I will not touch after that neither my mouse nor
keyboard, then w3m displays a top of the file in
question and, after a short moment, starts to load
_automatically_ images referenced on that page.
You can see a top fragment of a SANE logo starting
to show up and this is invariably followed by a segfault
as described in the original report.

You do not need w3m-debuginfo-0.5.2-10.fc9 for
that sefault to happen.  It was added to get some
meaningful information from gdb.

If you will make a local copy of sane.png and
modify "href" in sane-mfgs.html to use that instead
then effects are exactly the same so in that sense
a network connection is not essential.

After a segfault you will have to reset a terminal
used as it will be messed up to some extent.
Comment 3 Jens Petersen 2008-09-09 00:46:42 EDT
Reproduced on my F9 x86_64 box.
Comment 4 Parag Nemade 2009-04-23 03:29:26 EDT
revisiting this long time pending bug on F11 system.
I have following packages installed on 64 bit system(Yes I got now own 64 bit OS installed with me)
w3m-0.5.2-13.fc11.x86_64
w3m-img-0.5.2-13.fc11.x86_64


When attempted to use
w3m /usr/share/doc/sane-backends-1.0.19/sane-mfgs.html

I can see images without problem.


Can you check if you still face this bug in F11? If not then will close this bug.
Comment 5 Michal Jaegermann 2009-04-23 13:56:32 EDT
> Can you check if you still face this bug in F11?

No. At least in precise attempts as described in the original report.  I cannot be sure that nothing else will trip it but I do not have examples on hand. It also does not bomb out on F10 installation.  Nothing changed on F9 though but these are different versions of w3m and underlying gc and ImageMagick.

Note You need to log in before you can comment on or make changes to this bug.