[bug] bug in html_kill_comment (version 0.10.1)

Matt Armstrong matt at lickey.com
Thu Jan 23 19:11:25 CET 2003 

Reading html_kill_comment, it makes no guarantee that it always passes
at least 2 bytes of size to buff_fill.  This can cause bogofilter to
abort.  I changed the exit() in fgetsl to abort() and got this
backtrace.

#0  0x4010d781 in kill () from /lib/libc.so.6
#1  0x4010d464 in raise () from /lib/libc.so.6
#2  0x4010ebe1 in abort () from /lib/libc.so.6
#3  0x080570d4 in fgetsl (buf=0x80bdb77 "", max_size=1, s=0x401f9080) at fgetsl.c:24
#4  0x0804e25c in lgetsl (buf=0x80bdb77 "", size=1) at lexer.c:49
#5  0x0804e32e in yy_get_new_line (buf=0x80bdb77 "", max_size=1) at lexer.c:69
#6  0x0804e473 in get_decoded_line (buf=0x80bdb77 "", max_size=1) at lexer.c:112
#7  0x0804e6ca in buff_fill (need=1, buf=0x80bdb77 "", used=0, size=1) at lexer.c:178
#8  0x0804e139 in kill_html_comment (
    buf_start=0x80bbb78 "\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n<title>Untitled Document</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=euc-kr\">\n<link href=\"http://"..., buf_used=0x80bdb77 "", 
    buf_end=0x80bdb78 "") at html.c:57
#9  0x0804e0a6 in process_html_comments (
    buf=0x80bbb78 "\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n<title>Untitled Document</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=euc-kr\">\n<link href=\"http://"..., used=17, size=8192) at html.c:42
#10 0x0804e767 in yyinput (
    buf=0x80bbb78 "\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n<title>Untitled Document</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=euc-kr\">\n<link href=\"http://"..., max_size=8192) at lexer.c:200
#11 0x0805a107 in yy_get_next_buffer () at lexer_text_html.c:997
#12 0x08059dfa in text_html_lex () at lexer_text_html.c:831
#13 0x08051295 in get_token () at token.c:107
#14 0x0804c46d in collect_words (wh=0xbffff698, word_count=0xbffff690, 
    cont=0xbffff687 "\001\020") at collect.c:52
#15 0x080503e4 in register_messages (_run_type=REG_SPAM) at register.c:152
#16 0x08049bf0 in main (argc=3, argv=0xbffff844) at main.c:171

More information about the bogofilter-dev mailing list