You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ewald Dieterich <ew...@mailbox.org> on 2016/12/05 13:38:17 UTC

Segfault in mod_xml2enc.c with big5 charset

I have a segfault in mod_xml2enc.c, xml2enc_ffunc() when processing a 
page with big5 charset.

The crash happens in line 472 because ctx->convset is NULL:

rv = apr_xlate_conv_buffer(ctx->convset, buf+(bytes - insz),
                            &insz, ctx->buf, &ctx->bytes);

The sequence leading to this crash is:

* Call apr_xlate_conv_buffer(...). Return value is APR_INCOMPLETE (_not_ 
APR_EINCOMPLETE) (probably because the buffer ends in the middle of a 
multi-byte character).

* In "switch (rv)" enter the default case, set ctx->convset to NULL, and 
despite what the comment says ("Bail out, flush ...") don't bail out, 
instead continue with the loop.

* Call apr_xlate_conv_buffer(NULL, ...), crash with a segfault.

2 questions:

(1) Is APR_INCOMPLETE the same as APR_EINCOMPLETE when using the xlate 
API? Then the "case APR_EINCOMPLETE" should probably also handle "case 
APR_INCOMPLETE".

(2) What's the proper way to bail out from the default case? Just return 
or is there anything to consider regarding ctx->bbnext?

Thanks for your help.

Re: Segfault in mod_xml2enc.c with big5 charset

Posted by Ewald Dieterich <ew...@mailbox.org>.

On 05.12.2016 14:38, Ewald Dieterich wrote:
> I have a segfault in mod_xml2enc.c, xml2enc_ffunc() when processing a
> page with big5 charset.

I have another crash at exactly the same location, this time with 
charset "euc-kr". mod_xml2enc is definitely not able to handle 
multi-byte charsets reliably.