<div dir="ltr">Package: tk-html3<br>Version: 3.0~fossil20110109-8<br>Severity: normal<br>X-Debbugs-Cc: none<br><br>Dear Maintainer,<br><br>I am not sure whether this is the right place, but I would like to report a bug in <a href="http://libTkhtml3.0.so">libTkhtml3.0.so</a> used by hv3 browser. To reproduce it use the following steps:<br>```<br>$ echo '<style>.hello { background-color:rgb(A); }</style>' > bug.html<br>$ hv3 bug.html<br>Segmentation fault<br>```<br><br>Due to the printed Segmentation fault message, I researched the bug a bit further to establish why it happens.<br><br>This is the backtrace shown once SIGSEGV occurs:<br>```<br> ► 0   0x7ffff73b4482 inputNextToken+50<br>   1   0x7ffff73b49cb inputNextTokenIgnoreSpace+11<br>   2   0x7ffff73b5b57 HtmlCssGetNextCommaListItem+71<br>   3   0x7ffff73af784 tokenToProperty+1444<br>   4   0x7ffff73b0155 HtmlCssDeclaration+421<br>   5   0x7ffff73b4e0b parseDeclarationBlock+795<br>   6   0x7ffff73b5510 HtmlCssRunParser+1696<br>   7   0x7ffff73aeabd cssParse+429<br>```<br><br><div>The function in question is `tokenToProperty` which calls the `rgbToColor` function that parses the `rgb()` css function call: <a href="https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L430">https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L430</a></div><br>The parser expects the format of the function call to be `rgb(A, B, C)` which doesn't have to be the case nowadays. A valid example may be:<br>```<br>#example {<br>  background-color: rgb(var(--color));<br>}<br>```<br><br>Because the function call is not conforming to the hv3 expected format, the `rgbToColor` function will iterate three times through its arguments searching for values separated by comma and end up dereferencing a null pointer:<br>```<br> ► 0x7ffff73af77f <tokenToProperty+1439>    call   HtmlCssGetNextCommaListItem@plt                <HtmlCssGetNextCommaListItem@plt><br>        rdi: 0x0<br>        rsi: 0x55f7348b<br>        rdx: 0x7fffffffc048 ◂— 0xffffffffffffffff<br>        rcx: 0x0<br>...<br>Thread 1 "wish" received signal SIGSEGV, Segmentation fault.<br>0x00007ffff73b4482 in inputNextToken () from /usr/lib/Tkhtml3.0/<a href="http://libTkhtml3.0.so">libTkhtml3.0.so</a><br>LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA<br>─────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────<br> RAX  0x0<br> RBX  0x0<br> RCX  0x0<br>*RDX  0x7fffffffc538 ◂— 0xffffffffffffffff<br>*RDI  0x7fffffffc400 ◂— 0x0<br>*RSI  0x55fbd63f<br>*R8   0x7ffff7c6d560 (_nl_global_locale) —▸ 0x5555555593f0 —▸ 0x555555559350 ◂— 'en_US.UTF-8'<br>*R9   0x3<br> R10  0x0<br>*R11  0x7ffff7c164c0 (_nl_C_LC_CTYPE_tolower+512) ◂— 0x100000000<br> R12  0x0<br>*R13  0x7fffffffc400 ◂— 0x0<br> R14  0x0<br>*R15  0x55fbd63f<br>*RBP  0x55fbd63f<br>*RSP  0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3<br>*RIP  0x7ffff73b4482 (inputNextToken+50) ◂— cmp byte ptr [rbx], 0x2f<br>──────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────<br> ► 0x7ffff73b4482 <inputNextToken+50>     cmp    byte ptr [rbx], 0x2f<br>   0x7ffff73b4485 <inputNextToken+53>     je     inputNextToken+232                <inputNextToken+232><br>    ↓<br>   0x7ffff73b4538 <inputNextToken+232>    cmp    byte ptr [rbx + 1], 0x2a<br>   0x7ffff73b453c <inputNextToken+236>    jne    inputNextToken+59                <inputNextToken+59><br>    ↓<br>   0x7ffff73b448b <inputNextToken+59>     movzx  edx, byte ptr [rbx]<br>   0x7ffff73b448e <inputNextToken+62>     cmp    dl, 0x20<br>   0x7ffff73b4491 <inputNextToken+65>     jle    inputNextToken+97                <inputNextToken+97><br>    ↓<br>   0x7ffff73b44b1 <inputNextToken+97>     cmp    dl, 8<br>   0x7ffff73b44b4 <inputNextToken+100>    jg     inputNextToken+398                <inputNextToken+398><br>    ↓<br>   0x7ffff73b45de <inputNextToken+398>    movabs rax, 0x100002600<br>   0x7ffff73b45e8 <inputNextToken+408>    bt     rax, rdx<br>───────────────────────────────────[ STACK ]────────────────────────────────────<br>00:0000│ rsp 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3<br>01:0008│     0x7fffffffc368 ◂— 0x41007fffffffffff<br>02:0010│     0x7fffffffc370 ◂— 0x0<br>03:0018│     0x7fffffffc378 ◂— 0x0<br>04:0020│     0x7fffffffc380 —▸ 0x555555f886e0 ◂— 0x3<br>05:0028│     0x7fffffffc388 ◂— 0xf037dcd0ffffffff<br>06:0030│     0x7fffffffc390 —▸ 0x555555b3427b ◂— 'info exists ::hv3::log_source_option]} return\n    if {$::hv3::log_source_option} {\n      append O(myHtmlDocument) $data\n    }\n  '<br>07:0038│     0x7fffffffc398 —▸ 0x7fffffffc138 —▸ 0x7fffffffc1b8 —▸ 0x7fffffffc1d8 ◂— 0x0<br>...<br>```<br><br>In the code I have identified the following calls causing the crash:<br>- `rgbToColor` fetches the next comma list item by calling `HtmlCssGetNextCommaListItem`: <a href="https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L444">https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L444</a><br>```<br>aToken[ii].z = HtmlCssGetNextCommaListItem(z, zEnd - z, &aToken[ii].n);<br>```<br>- `HtmlCssGetNextCommaListItem` calls `inputNextTokenIgnoreSpace` which calls `inputNextToken`: <a href="https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L1186">https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L1186</a><br>```<br>inputNextTokenIgnoreSpace(&sInput);<br>```<br>- `inputNextToken` references the first element of NULL pointer `z[0]`: <a href="https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L208">https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L208</a><br>```<br>switch( z[0] ){<br>```<br><br>This bug also makes hv3 browser crash on legitimate sites effectively making it unusable:<br>```<br>$ hv3 <a href="http://wordpress.com">http://wordpress.com</a><br>Error in -requestcmd <a href="https://fonts-api.wp.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|">https://fonts-api.wp.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|</a>: Illegal characters in URL path<br>Segmentation fault<br>```<br><div><br></div><div>If my analysis is correct, the fix for this issue would be to change the current rgb function parsing implementation and add support for other types of function arguments.<br></div><div><br></div><div>Although it seems to me that this browser is unmaintained for several years now, I see it is available on debian repos so I decided to report the bug.</div><br>-- System Information:<br>Debian Release: 12.2<br>  APT prefers stable-updates<br>  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')<br>Architecture: amd64 (x86_64)<br><br>Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)<br>Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en<br>Shell: /bin/sh linked to /usr/bin/dash<br>Init: systemd (via /run/systemd/system)<br>LSM: AppArmor: enabled<br><br>Versions of packages tk-html3 depends on:<br>ii  libc6     2.36-9+deb12u3<br>ii  libx11-6  2:1.8.4-2+deb12u2<br>ii  tk        8.6.13<br><br>tk-html3 recommends no packages.<br><br>tk-html3 suggests no packages.<br><br>-- no debconf information<br></div>