search

michaelrsweet / htmldoc

HTML Conversion Software
https://www.msweet.org/htmldoc
GNU General Public License v2.0
206 stars 46 forks source link

crash on PDF generation: double free in pspdf_export() #138

Closed michaelrsweet closed 16 years ago

michaelrsweet commented 17 years ago

Version: 1.8.27 Original reporter:

Crash with libc error of double free for line 969 which is

  free(pages[i].heading);

in ps-pdf.cxx

Problem is that pages[i].heading pointers are equal for two heading(s) that are at i and i+2. The code does not trap this case (it checks i and i+1) and does a double free.

I can provide the html source that causes this, it's got one reported error in it (that I can't find), but html errors should not cause crashes.

Attached is my hack that seems to solve the problem. It checks for equal pointers at any pages, not just for i and i+1 and NULL's the duplicates after the first is freed.

I also get this problem with version 1.9.x-r1521.

OS: Linux 2.6.12-1.1381_FC3smp Fedora Core 3 complier: gcc 3.4.4-2.fc3

michaelrsweet commented 16 years ago

Original reporter: Michael Sweet

No more fixes for 1.8.x.