Re: [Bug-wget] wget 1.19.4 - possible double free in url.c

[Tim Rühsen]

On 03/01/2018 03:01 PM, Volkmar Klatt wrote:
> Dear wget maintainer,
> 
> 1) in wget 1.19.4 (and probably earlier)
> please check carefully
> 
> static char * convert_fname (char *fname)
> in
> src/url.c
> 
> I run a OpenBSD machine, x86, ABI=32
> and I guess there's a double free when using iconv,
> see patch attached.

Good catch, thanks !
Though it's not a double free, but a free on -1 if iconv_open() fails.
The solution is to move iconv_close() two lines up into the else case.

I took the opportunity and rearranged the code a bit, commit pushed.

> With this change, all my non-skipped tests pass,
> whereas with original url.c most tests fail with core dump:
> 
> wget(24305) in free(): error: bogus pointer (double free?)
> 0xffffffff
> -->
> 
> #0  0x1c187cb1 in kill () at <stdin>:2
> #1  0x1c1b5ab6 in raise (s=6) at
> /usr/src/lib/libc/gen/raise.c:39
> #2  0x1c1b5a00 in abort () at
> /usr/src/lib/libc/stdlib/abort.c:53
> #3  0x1c1967f7 in wrterror (msg=0x3c119b56 "bogus pointer
> (double free?)", p=0xffffffff)
>     at /usr/src/lib/libc/stdlib/malloc.c:281
> #4  0x1c197d09 in free (ptr=0xffffffff) at
> /usr/src/lib/libc/stdlib/malloc.c:1282
> #5  0x1c06d54d in libiconv_close ()
> #6  0x1c032334 in url_file_name ()
> #7  0x1c01facf in http_loop ()
> #8  0x1c02dd7e in retrieve_url ()
> #9  0x1c027068 in main ()
> 
> 2) The documentation might mention that
> strict firewall settings may also hinder the tests,
> e.g. when traffic from/to 127.0.0.1 is blocked.
> 
> Solution: Isolate the machine (no net)
> and temporalily disable the firewall, then 'make test'
> 
> Thanks,
> Volkmar Klatt

With Best Regards, Tim

signature.asc
Description: OpenPGP digital signature