[Pkg-tcltk-devel] Bug#1057485: tk-html3: Null pointer dereference causing a crash in libTkhtml3.0.so

[Tomislav Turek]

Package: tk-html3
Version: 3.0~fossil20110109-8
Severity: normal
X-Debbugs-Cc: none

Dear Maintainer,

I am not sure whether this is the right place, but I would like to report a
bug in libTkhtml3.0.so used by hv3 browser. To reproduce it use the
following steps:
```
$ echo '<style>.hello { background-color:rgb(A); }</style>' > bug.html
$ hv3 bug.html
Segmentation fault
```

Due to the printed Segmentation fault message, I researched the bug a bit
further to establish why it happens.

This is the backtrace shown once SIGSEGV occurs:
```
 ► 0   0x7ffff73b4482 inputNextToken+50
   1   0x7ffff73b49cb inputNextTokenIgnoreSpace+11
   2   0x7ffff73b5b57 HtmlCssGetNextCommaListItem+71
   3   0x7ffff73af784 tokenToProperty+1444
   4   0x7ffff73b0155 HtmlCssDeclaration+421
   5   0x7ffff73b4e0b parseDeclarationBlock+795
   6   0x7ffff73b5510 HtmlCssRunParser+1696
   7   0x7ffff73aeabd cssParse+429
```

The function in question is `tokenToProperty` which calls the `rgbToColor`
function that parses the `rgb()` css function call:
https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L430

The parser expects the format of the function call to be `rgb(A, B, C)`
which doesn't have to be the case nowadays. A valid example may be:
```
#example {
  background-color: rgb(var(--color));
}
```

Because the function call is not conforming to the hv3 expected format, the
`rgbToColor` function will iterate three times through its arguments
searching for values separated by comma and end up dereferencing a null
pointer:
```
 ► 0x7ffff73af77f <tokenToProperty+1439>    call
HtmlCssGetNextCommaListItem at plt
 <HtmlCssGetNextCommaListItem at plt>
        rdi: 0x0
        rsi: 0x55f7348b
        rdx: 0x7fffffffc048 ◂— 0xffffffffffffffff
        rcx: 0x0
...
Thread 1 "wish" received signal SIGSEGV, Segmentation fault.
0x00007ffff73b4482 in inputNextToken () from /usr/lib/Tkhtml3.0/
libTkhtml3.0.so
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────[ REGISTERS / show-flags off / show-compact-regs off
]─────────────
 RAX  0x0
 RBX  0x0
 RCX  0x0
*RDX  0x7fffffffc538 ◂— 0xffffffffffffffff
*RDI  0x7fffffffc400 ◂— 0x0
*RSI  0x55fbd63f
*R8   0x7ffff7c6d560 (_nl_global_locale) —▸ 0x5555555593f0 —▸
0x555555559350 ◂— 'en_US.UTF-8'
*R9   0x3
 R10  0x0
*R11  0x7ffff7c164c0 (_nl_C_LC_CTYPE_tolower+512) ◂— 0x100000000
 R12  0x0
*R13  0x7fffffffc400 ◂— 0x0
 R14  0x0
*R15  0x55fbd63f
*RBP  0x55fbd63f
*RSP  0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3
*RIP  0x7ffff73b4482 (inputNextToken+50) ◂— cmp byte ptr [rbx], 0x2f
──────────────────────[ DISASM / x86-64 / set emulate on
]──────────────────────
 ► 0x7ffff73b4482 <inputNextToken+50>     cmp    byte ptr [rbx], 0x2f
   0x7ffff73b4485 <inputNextToken+53>     je     inputNextToken+232
       <inputNextToken+232>
    ↓
   0x7ffff73b4538 <inputNextToken+232>    cmp    byte ptr [rbx + 1], 0x2a
   0x7ffff73b453c <inputNextToken+236>    jne    inputNextToken+59
       <inputNextToken+59>
    ↓
   0x7ffff73b448b <inputNextToken+59>     movzx  edx, byte ptr [rbx]
   0x7ffff73b448e <inputNextToken+62>     cmp    dl, 0x20
   0x7ffff73b4491 <inputNextToken+65>     jle    inputNextToken+97
       <inputNextToken+97>
    ↓
   0x7ffff73b44b1 <inputNextToken+97>     cmp    dl, 8
   0x7ffff73b44b4 <inputNextToken+100>    jg     inputNextToken+398
       <inputNextToken+398>
    ↓
   0x7ffff73b45de <inputNextToken+398>    movabs rax, 0x100002600
   0x7ffff73b45e8 <inputNextToken+408>    bt     rax, rdx
───────────────────────────────────[ STACK
]────────────────────────────────────
00:0000│ rsp 0x7fffffffc360 —▸ 0x555555f886b0 ◂— 0x3
01:0008│     0x7fffffffc368 ◂— 0x41007fffffffffff
02:0010│     0x7fffffffc370 ◂— 0x0
03:0018│     0x7fffffffc378 ◂— 0x0
04:0020│     0x7fffffffc380 —▸ 0x555555f886e0 ◂— 0x3
05:0028│     0x7fffffffc388 ◂— 0xf037dcd0ffffffff
06:0030│     0x7fffffffc390 —▸ 0x555555b3427b ◂— 'info exists
::hv3::log_source_option]} return\n    if {$::hv3::log_source_option} {\n
   append O(myHtmlDocument) $data\n    }\n  '
07:0038│     0x7fffffffc398 —▸ 0x7fffffffc138 —▸ 0x7fffffffc1b8 —▸
0x7fffffffc1d8 ◂— 0x0
...
```

In the code I have identified the following calls causing the crash:
- `rgbToColor` fetches the next comma list item by calling
`HtmlCssGetNextCommaListItem`:
https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/css.c#L444
```
aToken[ii].z = HtmlCssGetNextCommaListItem(z, zEnd - z, &aToken[ii].n);
```
- `HtmlCssGetNextCommaListItem` calls `inputNextTokenIgnoreSpace` which
calls `inputNextToken`:
https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L1186
```
inputNextTokenIgnoreSpace(&sInput);
```
- `inputNextToken` references the first element of NULL pointer `z[0]`:
https://github.com/olebole/tkhtml3/blob/399bae7dc2d9425e62c2a7ad12bd044920261f7a/src/cssparser.c#L208
```
switch( z[0] ){
```

This bug also makes hv3 browser crash on legitimate sites effectively
making it unusable:
```
$ hv3 http://wordpress.com
Error in -requestcmd
https://fonts-api.wp.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|:
Illegal characters in URL path
Segmentation fault
```

If my analysis is correct, the fix for this issue would be to change the
current rgb function parsing implementation and add support for other types
of function arguments.

Although it seems to me that this browser is unmaintained for several years
now, I see it is available on debian repos so I decided to report the bug.

-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tk-html3 depends on:
ii  libc6     2.36-9+deb12u3
ii  libx11-6  2:1.8.4-2+deb12u2
ii  tk        8.6.13

tk-html3 recommends no packages.

tk-html3 suggests no packages.

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-tcltk-devel/attachments/20231205/6a2c21b6/attachment.htm>