Bug#499945: Segfault in asn1_get_tag_der().
Kurt Roeckx
kurt at roeckx.be
Tue Sep 23 21:16:53 UTC 2008
Package: libtasn1-3
Version: 1.4-1
Severity: grave
Hi,
When I run "lynx https://acrobat.com", I end up with a segfault. The
backtrace looks like:
#0 asn1_get_tag_der (
der=0x700000000000097 <Address 0x700000000000097 out of bounds>,
der_len=33, cls=0x7fffcc8f6b77 "h", len=0x7fffcc8f6b70, tag=0x7fffcc8f6b68)
at decoding.c:127
#1 0x00002ab7df4db8de in _asn1_extract_tag_der (node=0x942850,
der=0x700000000000097 <Address 0x700000000000097 out of bounds>,
der_len=33, ret_len=0x7fffcc8f6cc8) at decoding.c:424
#2 0x00002ab7df4de383 in asn1_der_decoding (element=0x919fa0,
ider=0x700000000000097, len=33, errorDescription=0x0) at decoding.c:920
#3 0x00002ab7de88e3ff in gnutls_x509_crt_import ()
from /usr/lib/libgnutls.so.26
#4 0x0000000000493a2c in ?? ()
#5 0x0000000000493bf4 in ?? ()
#6 0x000000000049cff1 in ?? ()
#7 0x000000000049ba7d in ?? ()
#8 0x0000000000429b07 in ?? ()
#9 0x0000000000433cbf in ?? ()
#10 0x000000000042e203 in ?? ()
#11 0x00002ab7ded371a6 in __libc_start_main () from /lib/libc.so.6
#12 0x0000000000405539 in ?? ()
#13 0x00007fffcc8f8318 in ?? ()
#14 0x000000000000001c in ?? ()
#15 0x0000000000000002 in ?? ()
#16 0x00007fffcc8f9c69 in ?? ()
#17 0x00007fffcc8f9c77 in ?? ()
#18 0x0000000000000000 in ?? ()
(gdb) frame 0
#0 asn1_get_tag_der (
der=0x700000000000097 <Address 0x700000000000097 out of bounds>,
der_len=33, cls=0x7fffedcf6f77 "h", len=0x7fffedcf6f70, tag=0x7fffedcf6f68)
at decoding.c:127
127 in decoding.c
(gdb) frame 1
#1 0x00002ab7df4db8de in _asn1_extract_tag_der (node=0x942850,
der=0x700000000000097 <Address 0x700000000000097 out of bounds>,
der_len=33, ret_len=0x7fffcc8f6cc8) at decoding.c:424
424 in decoding.c
(gdb) frame 2
#2 0x00002ab7df4de383 in asn1_der_decoding (element=0x919fa0,
ider=0x700000000000097, len=33, errorDescription=0x0) at decoding.c:920
920 in decoding.c
(gdb) p p
$1 = (node_asn *) 0x700000000000097
(gdb) p node
$2 = (node_asn *) 0x7fffcc8f6b68
(gdb) p *node
$3 = {
name = 0x2adabe0e1c56 "\205ÀuÞM\205öu\204\220éþÿÿH\211ÅH\213E(H\205À\220uóM\205ö\017\205hÿÿÿé\222þÿÿL\211ò¾\201", type = 1869048897, value = 0x0,
value_len = 9460992, down = 0x919fa0, right = 0x3, left = 0x21}
(gdb) p der
No symbol "der" in current context.
(gdb) p len
$4 = 33
(gdb) p counter
$5 = 0
(gdb) p len2
$6 = 9637200
(gdb) p p2->down
$7 = (struct node_asn_struct *) 0x7d204c4c554e000a
(gdb) p ris
$8 = 0
(gdb) p *p2
$10 = {name = 0x252200207b202000 <Address 0x252200207b202000 out of bounds>,
type = 539763315,
value = 0x2c756c2500202c4c <Address 0x2c756c2500202c4c out of bounds>,
value_len = 622985248, down = 0x7d204c4c554e000a,
right = 0x4e207b2020000a2c, left = 0x202c30202c4c4c55}
It's not exactly making sense to me why it wouldn't segfault earlier like
at the if "((p->type & CONST_OPTION) || (p->type & CONST_DEFAULT))" line.
running valgrind I also get:
==19443== Invalid read of size 8
==19443== at 0x52E73D7: gnutls_x509_crt_import (in /usr/lib/libgnutls.so.26.4
.5)
==19443== by 0x493A2B: (within /usr/bin/lynx.cur)
==19443== by 0x493BF3: (within /usr/bin/lynx.cur)
==19443== by 0x49CFF0: (within /usr/bin/lynx.cur)
==19443== by 0x49BA7C: (within /usr/bin/lynx.cur)
==19443== by 0x429B06: (within /usr/bin/lynx.cur)
==19443== by 0x433CBE: (within /usr/bin/lynx.cur)
==19443== by 0x42E202: (within /usr/bin/lynx.cur)
==19443== by 0x578F1A5: (below main) (libc-start.c:222)
==19443== Address 0x6449c00 is 0 bytes after a block of size 16 alloc'd
==19443== at 0x4C200FC: calloc (vg_replace_malloc.c:397)
==19443== by 0x52C7584: (within /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x52C8008: _gnutls_proc_x509_server_certificate (in /usr/lib/lib
gnutls.so.26.4.5)
==19443== by 0x52B79FF: _gnutls_recv_server_certificate (in /usr/lib/libgnutl
s.so.26.4.5)
==19443== by 0x52B4A27: _gnutls_handshake_client (in /usr/lib/libgnutls.so.26
.4.5)
==19443== by 0x52B52E7: gnutls_handshake (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x494102: (within /usr/bin/lynx.cur)
==19443== by 0x49CE96: (within /usr/bin/lynx.cur)
==19443== by 0x49BA7C: (within /usr/bin/lynx.cur)
==19443== by 0x429B06: (within /usr/bin/lynx.cur)
==19443== by 0x433CBE: (within /usr/bin/lynx.cur)
==19443== by 0x42E202: (within /usr/bin/lynx.cur)
==19443==
==19443== Invalid read of size 4
==19443== at 0x52E73DA: gnutls_x509_crt_import (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x493A2B: (within /usr/bin/lynx.cur)
==19443== by 0x493BF3: (within /usr/bin/lynx.cur)
==19443== by 0x49CFF0: (within /usr/bin/lynx.cur)
==19443== by 0x49BA7C: (within /usr/bin/lynx.cur)
==19443== by 0x429B06: (within /usr/bin/lynx.cur)
==19443== by 0x433CBE: (within /usr/bin/lynx.cur)
==19443== by 0x42E202: (within /usr/bin/lynx.cur)
==19443== by 0x578F1A5: (below main) (libc-start.c:222)
==19443== Address 0x6449c08 is 8 bytes after a block of size 16 alloc'd
==19443== at 0x4C200FC: calloc (vg_replace_malloc.c:397)
==19443== by 0x52C7584: (within /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x52C8008: _gnutls_proc_x509_server_certificate (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x52B79FF: _gnutls_recv_server_certificate (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x52B4A27: _gnutls_handshake_client (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x52B52E7: gnutls_handshake (in /usr/lib/libgnutls.so.26.4.5)
==19443== by 0x494102: (within /usr/bin/lynx.cur)
==19443== by 0x49CE96: (within /usr/bin/lynx.cur)
==19443== by 0x49BA7C: (within /usr/bin/lynx.cur)
==19443== by 0x429B06: (within /usr/bin/lynx.cur)
==19443== by 0x433CBE: (within /usr/bin/lynx.cur)
==19443== by 0x42E202: (within /usr/bin/lynx.cur)
I'm running libgnutls26 2.4.1-1 and lynx-cur 2.8.7dev9-2.
Kurt
More information about the Pkg-gnutls-maint
mailing list