bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #46806] Segfault on downloading a file with unicode diac

From: Tomasz Ostrowski
Subject: [Bug-wget] [bug #46806] Segfault on downloading a file with unicode diacritics in file name
Date: Mon, 04 Jan 2016 10:20:19 +0000
User-agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0 
URL:
  <http://savannah.gnu.org/bugs/?46806>

                 Summary: Segfault on downloading a file with unicode
diacritics in file name
                 Project: GNU Wget
            Submitted by: tometzky
            Submitted on: Mon 04 Jan 2016 10:20:16 AM GMT
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.17
        Operating System: None
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: No

    _______________________________________________________

Details:

Example filename: "Zażółć gęślą jaźń"

$ MALLOC_CHECK_=3 ./wget -S
'http://prhn.ato.waw.pl/~tometzky/tmp/Za%C5%BC%C3%B3%C5%82%C4%87%20g%C4%99%C5%9Bl%C4%85%20ja%C5%BA%C5%84'
--2016-01-04 11:09:49-- 
http://prhn.ato.waw.pl/~tometzky/tmp/Za%C5%BC%C3%B3%C5%82%C4%87%20g%C4%99%C5%9Bl%C4%85%20ja%C5%BA%C5%84
Resolving prhn.ato.waw.pl (prhn.ato.waw.pl)... 81.18.204.35
Connecting to prhn.ato.waw.pl (prhn.ato.waw.pl)|81.18.204.35|:80...
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Mon, 04 Jan 2016 10:09:49 GMT
  Server: Apache/2.2.15 (CentOS)
  Last-Modified: Wed, 11 Jul 2007 14:07:10 GMT
  ETag: "591071-0-434fd64d69f80"
  Accept-Ranges: bytes
  Content-Length: 0
  Connection: close
  Content-Type: text/plain
Length: 0 [text/plain]
Saving to: ‘Zażó\305%82\304%87 g\304%99\305%9Bl\304%85 jaź\305%84.4’

Zażó�%82�%87 g�%99�%9Bl�%85 jaź�%84.4     [<=>                 
                                                   ]       0  --.-KB/s        
     Segmentation fault (core dumped)


$ gdb -c core.2499 ./wget
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memset_sse2 () at ../sysdeps/x86_64/memset.S:93
93              movdqa  %xmm8, (%rcx)
(gdb) bt
#0  __memset_sse2 () at ../sysdeps/x86_64/memset.S:93
#1  0x000000000042f49f in create_image (bp=0x269b000, dl_total_time=0,
done=true) at progress.c:1167
#2  0x000000000042e46c in bar_finish (progress=0x269b000, dltime=0) at
progress.c:673
#3  0x000000000042d806 in progress_finish (progress=0x269b000, dltime=0) at
progress.c:197
#4  0x000000000043300c in fd_read_body (downloaded_filename=0x2695190
"Zażó\305%82\304%87 g\304%99\305%9Bl\304%85 jaź\305%84.4", fd=4, 
    out=0x2698bc0, toread=0, startpos=0, qtyread=0x7fffb4511f10,
qtywritten=0x7fffb4511ec0, elapsed=0x7fffb4511f18, flags=1, out2=0x0) at
retr.c:429
#5  0x000000000041fbec in read_response_body (hs=0x7fffb4511ec0, sock=4,
fp=0x2698bc0, contlen=0, contrange=0, chunked_transfer_encoding=false, 
    url=0x2694e40
"http://prhn.ato.waw.pl/~tometzky/tmp/Za%C5%BC%C3%B3%C5%82%C4%87%20g%C4%99%C5%9Bl%C4%85%20ja%C5%BA%C5%84";,

    warc_timestamp_str=0x7fffb4511970 "\240\065Y\361\250\177",
warc_request_uuid=0x7fffb4511940 "\t", warc_ip=0x0, type=0x2677dd0
"text/plain", 
    statcode=200, 
    head=0x2698920 "HTTP/1.1 200 OK\r\nDate: Mon, 04 Jan 2016 10:09:49
GMT\r\nServer: Apache/2.2.15 (CentOS)\r\nLast-Modified: Wed, 11 Jul 2007
14:07:10 GMT\r\nETag: \"591071-0-434fd64d69f80\"\r\nAccept-Ranges:
bytes\r\nContent-Length"...) at http.c:1682
#6  0x0000000000423d08 in gethttp (u=0x2694d10, hs=0x7fffb4511ec0,
dt=0x7fffb4512204, proxy=0x0, iri=0x2694bc0, count=1) at http.c:3753
#7  0x00000000004243a6 in http_loop (u=0x2694d10, original_url=0x2694d10,
newloc=0x7fffb4512048, local_file=0x7fffb4512038, referer=0x0, 
    dt=0x7fffb4512204, proxy=0x0, iri=0x2694bc0) at http.c:3971
#8  0x0000000000433a37 in retrieve_url (orig_parsed=0x2694d10, 
    origurl=0x2694b40
"http://prhn.ato.waw.pl/~tometzky/tmp/Za%C5%BC%C3%B3%C5%82%C4%87%20g%C4%99%C5%9Bl%C4%85%20ja%C5%BA%C5%84";,

    file=0x7fffb4512210, newloc=0x7fffb4512208, refurl=0x0, dt=0x7fffb4512204,
recursive=false, iri=0x2694bc0, register_status=true) at retr.c:817
#9  0x000000000042c7ef in main (argc=3, argv=0x7fffb45123e8) at main.c:1868

$ locale
LANG=en_US.utf8
LC_CTYPE="en_US.utf8"
LC_NUMERIC="en_US.utf8"
LC_TIME="en_US.utf8"
LC_COLLATE="en_US.utf8"
LC_MONETARY="en_US.utf8"
LC_MESSAGES="en_US.utf8"
LC_PAPER="en_US.utf8"
LC_NAME="en_US.utf8"
LC_ADDRESS="en_US.utf8"
LC_TELEPHONE="en_US.utf8"
LC_MEASUREMENT="en_US.utf8"
LC_IDENTIFICATION="en_US.utf8"
LC_ALL=

This is self-compiled wget 1.17.1 on Fedora 23 x86_64:
$ cd wget-1.17.1/
$ ./configure --prefix=/tmp/wget
$ make CFLAGS='-O0 -g'
$ make install

I don't know if it's exploitable memory corruption.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Mon 04 Jan 2016 10:20:16 AM GMT  Name: core.2499.xz  Size: 92kB   By:
tometzky
Core file attached (xz compressed).
<http://savannah.gnu.org/bugs/download.php?file_id=35915>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?46806>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]