Bug#279202: scrollkeeper-update crashes due to incorrectly
allocated pointer
William Steve Applegate
William Steve Applegate <wsapplegate@est.un.goret.info>,
279202@bugs.debian.org
Mon, 01 Nov 2004 13:46:29 +0100
Package: scrollkeeper
Version: 0.3.14-9.1debug
Severity: important
Hi,
while doing an upgrade, apt-get bailed out because of a segfault in
scrollkeeper-update. I was able to reproduce it by hand: Apparently, one
file part of gnome-utils (2.6.2-1) is incorrect, and scrollkeeper
segfaults while trying to display an error message. Here's what I got
after recompiling scrollkeeper and libxml2 with debug symbols=A0:
root@betelgeuse|pts/47:~# scrollkeeper-rebuilddb -v
[...]
Registering /usr/share/omf/gnome-utils/gnome-dictionary-ja.omf
Registering /usr/share/omf/gnome-utils/gfloppy-C.omf
/usr/bin/scrollkeeper-rebuilddb: line 48: 1145 Erreur de segmentation (c=
ore dumped) scrollkeeper-update $quiet $verbose -p $scrollkeeper_db_dir
root@betelgeuse|pts/47:~# gdb /usr/bin/scrollkeeper-update core
[...]
Core was generated by `scrollkeeper-update -v -p /var/lib/scrollkeeper'.
Program terminated with signal 11, Segmentation fault.
[...]
#0 0x4007a59b in __xmlRaiseError (schannel=3D0, channel=3D0x401d74d0 <sk=
_dtd_validation_message>, data=3D0xbfffe76f, ctx=3D0xbfffe76f, nod=3D0x85=
16078, domain=3D23, code=3D504,
level=3DXML_ERR_ERROR, file=3D0x0, line=3D0, str1=3D0x84d3018 "resour=
ce", str2=3D0x84d3018 "resource",
str3=3D0xbfffbdc0 "(creator title contributor date subject format ide=
ntifier language relation )", int1=3D0, int2=3D0,
msg=3D0x40165d60 "Element %s content does not follow the DTD, expecti=
ng %s, got %s\n") at error.c:458
458 if ((schannel =3D=3D NULL) && (ctxt !=3D NULL) && (ctxt->=
sax !=3D NULL) &&
(gdb) p ctxt
$1 =3D 0xbfffe76f
(gdb) p ctxt->sax
$2 =3D (struct _xmlSAXHandler *) 0xffe76f43
(gdb) p ctxt->sax->initialized
Cannot access memory at address 0xffe76faf
(gdb) bt
#0 0x4007a59b in __xmlRaiseError (schannel=3D0, channel=3D0x401d74d0 <sk=
_dtd_validation_message>, data=3D0xbfffe76f, ctx=3D0xbfffe76f, nod=3D0x85=
16078, domain=3D23, code=3D504,
level=3DXML_ERR_ERROR, file=3D0x0, line=3D0, str1=3D0x84d3018 "resour=
ce", str2=3D0x84d3018 "resource",
str3=3D0xbfffbdc0 "(creator title contributor date subject format ide=
ntifier language relation )", int1=3D0, int2=3D0,
msg=3D0x40165d60 "Element %s content does not follow the DTD, expecti=
ng %s, got %s\n") at error.c:458
#1 0x400b3097 in xmlErrValidNode (ctxt=3D0xbfffe770, node=3D0x8516078, e=
rror=3DXML_DTD_CONTENT_MODEL,
msg=3D0x40165d60 "Element %s content does not follow the DTD, expecti=
ng %s, got %s\n", str1=3D0x84d3018 "resource",
str2=3D0xbfffd150 "(creator+ , maintainer* , contributor* , title , d=
ate , version* , subject* , description? , type* , coverage* , format , i=
dentifier , language , relation* , source* , rights*)", str3=3D0xbfffbdc0=
"(creator title contributor date subject format identifier language rela=
tion )") at valid.c:137
#2 0x400bb51c in xmlValidateElementContent (ctxt=3D0xbfffe770, child=3D0=
x85160c8, elemDecl=3D0x84d2898, warn=3D1, parent=3D0x8516078) at valid.c:=
5166
#3 0x400bc986 in xmlValidateOneElement__internal_alias (ctxt=3D0xbfffe77=
0, doc=3D0x81806b0, elem=3D0x8516078) at valid.c:5866
#4 0x400bd0bb in xmlValidateElement__internal_alias (ctxt=3D0xbfffe770, =
doc=3D0x81806b0, elem=3D0x8516078) at valid.c:6110
#5 0x400bd20f in xmlValidateElement__internal_alias (ctxt=3D0xbfffe770, =
doc=3D0x81806b0, elem=3D0x8180750) at valid.c:6131
#6 0x400bd78b in xmlValidateDtd__internal_alias (ctxt=3D0xbfffe770, doc=3D=
0x81806b0, dtd=3D0x81809b8) at valid.c:6342
#7 0x401d91e2 in install (omf_name=3D0x8052b50 "/usr/share/omf/gnome-uti=
ls/gfloppy-ja.omf", scrollkeeper_dir=3D0xbffff830 "/var/lib/scrollkeeper"=
,
data_dir=3D0xbffff520 "/usr/share/scrollkeeper", outputprefs=3D67 'C'=
) at install.c:194
#8 0x0804a254 in main (argc=3D4, argv=3D0xbffffb64) at update.c:541
Looking at libs/install.c, I noticed the following code (at line 190)=A0:
190 cvp.userData =3D (char *) &outputprefs;
The userData member is later reused by libxml2 in valid.c, in the
following code=A0:
129 xmlParserCtxtPtr pctxt =3D NULL;
[...]
134 data =3D ctxt->userData;
135 pctxt =3D ctxt->userData;
The problem is, obviously, that userData is nothing like a pointer to a
xmlParserCtxt structure. Hence, the code fails in libxml2's error.c, on
the following line=A0:
457 ctxt =3D (xmlParserCtxtPtr) ctx;
458 if ((schannel =3D=3D NULL) && (ctxt !=3D NULL) && (ctxt->=
sax !=3D NULL) &&
459 (ctxt->sax->initialized =3D=3D XML_SAX2_MAGIC))
I've been able to verify this by replacing line 190 in libs/install.c
with a call to xmlNewParserCtxt(). This indeed prevented segfaults.
Instead, I got what seemed to be a normal error message on the faulty
files=A0:
OMF file [/usr/share/omf/gnome-utils/gfloppy-ja.omf] does not validate ag=
ainst ScrollKeeper-OMF DTD: /usr/share/xml/scrollkeeper/dtds/scrollkeeper=
-omf.dtd
Unable to register /usr/share/omf/gnome-utils/gfloppy-ja.omf
I'm not sure who is at fault here, scrollkeeper or libxml2, I'll leave
to you to determine what is really going around here. If you need any
other information on this problem, feel free to ask.
As an aside, this could be a duplicate of bug #233561, but I'm unsure
about this.
Thanks,
-- William.
-- System Information:
Debian Release: 3.1
APT prefers experimental
APT policy: (600, 'experimental'), (550, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.4-wolk2.3
Locale: LANG=3Dfr_FR@euro, LC_CTYPE=3Dfr_FR@euro (charmap=3DISO-8859-15) =
(ignored: LC_ALL set to fr_FR@euro)
Versions of packages scrollkeeper depends on:
ii docbook-xml 4.3-1 standard XML documentation s=
ystem,
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librar=
ies an
ii libxml2 2.6.15-1.0debug GNOME XML library
ii libxslt1.1 1.1.11-1 XSLT processing library - ru=
ntime=20
ii zlib1g 1:1.2.2-1 compression library - runtim=
e
-- no debconf information