[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] wget/Chrome bug?
|
From: |
Gisle Vanem |
|
Subject: |
[Bug-wget] wget/Chrome bug? |
|
Date: |
Thu, 09 Apr 2015 14:59:29 +0200 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 |
Can someone (on Linux/BSD etc.) confirm if Wget is crashing on this
command:
set CHARSET=ISO8859-1 (not sure this is important)
wget -dr -Ahtml http://cortexture.net/chromebug/test.html
I hope it's not only the Windows version of Wget/Gnulib that is
vulnerable....
Here is the call-stack:
...
ntdll!RtlFreeHeap+0x45397
MSVCR120!free+0x1a
wget!free_vec(char ** vec = 0x0387e508)+0x23
wget!cleanup(void)+0xc8 << !! free_vec (opt.accepts);
wget!main(int argc = 0n1, char ** argv = 0x009f9148)+0x10f7
The crash is in util.c (1281):
void
free_vec (char **vec)
{
if (vec)
{
char **p = vec;
while (*p)
xfree (*p++); << !!
xfree (vec);
}
}
I was unable to dig into 'vec' and see what happens in details.
But it seems to be a bug WRT 'opt.accept' and what 'merge()'
does.
PS.
Google Chrome prior to v42 was vulnerable to the below joke
HREF due to the "DNS Prefetching" feature (default 'on' it seems).
Ref:
https://codereview.chromium.org/1007323003
And to be clear, Wget saves the test.html fine:
<a href="http://Lorem ipsum Culpa labore qui culpa enim nostrud eiusmod ullamco
anim in dolor
consequat voluptate in in laboris consequat d olor occaecat minim aliqua quis
id in Duis
eiusmod amet id do ex do dolore dolor anim sit deserunt do.">Hello World!</a>
It just doesn't cleanup() here very well.
--
--gv
- [Bug-wget] wget/Chrome bug?,
Gisle Vanem <=