GNOME Bugzilla – Bug 520383
__xmlRaiseError alloc tons of memory and cause segfault
Last modified: 2008-04-03 07:32:22 UTC
(filed on Debian BTS by mozbugbox@yahoo.com.au) ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456653 ) libxml2 crash liferea on some Chinese RSS feed. Backtrace shows that in file error.c at XML_GET_VAR_STR(), it realloced too much memory. With vsnprintf, when it returns -1, there could be all kind of errors other than just not enough buffer. In this Chinese feed, the error is "Invalid or incomplete multibyte or wide character", i.e. EILSEQ. So if XML_GET_VAR_STR really want to handle pre-glibc 2.1 erorr, it should check the precise errno first rather blindly realloc more memory. Otherwise, just break out of the error. Please see liferea bug: http://sourceforge.net/tracker/index.php?func=detail&aid=1818306&group_id=87005&atid=581684 This crash can only be see under LC_CTYPE=zh_CN.gbk, under LC_CTYPE=C, liferea just show a failed to parse error. Download the file sohu-list-software-0-0.xml attached to the bug report. Run liferea under LC_CTYPE=zh_CN.gbk Create a new subscription, point the subscription to local file (New subscription->Advanced->Local file, select the sohu-list-software-0-0.xml). Then update feed.
The problem actually lies in the glibc, and has been known for at least 4 years, but hasn't been considered a bug :( See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=208308
Still libxml2 while(1) { ... realloc() } just should be bounded something like that should be way saner. paphio:~/XML -> svn diff Index: error.c =================================================================== --- error.c (revision 3721) +++ error.c (working copy) @@ -31,7 +31,7 @@ void XMLCDECL xmlGenericErrorDefaultFunc \ size = 150; \ \ - while (1) { \ + while (size < 64000) { \ va_start(ap, msg); \ chars = vsnprintf(str, size, msg, ap); \ va_end(ap); \ paphio:~/XML -> Commited in revision 3725, if you could check it really fixes the problem that would be nice. Daniel