Fix assertion failure if IMG/@usemap refers to a different file.

Change test/imgmap2.html so it can be used for testing this too. Debian Iceweasel 3.0.4 does not appear to support such external client-side image maps. Well, that's one place where ELinks is superior, I guess. There might be a security problem though if ELinks were to let scripts of the referring page examine the links in the image map.
2024-12-04 14:46:47 -05:00 · 2009-01-01 18:38:07 +00:00 · 2009-01-01 18:38:07 +00:00 · 29c34df62e
commit 29c34df62e
parent dc41f0bd4c
3 changed files with 24 additions and 12 deletions
--- a/2
+++ b/2
@ -11,6 +11,8 @@ ELinks 0.12pre2.GIT now:
 To be released as 0.12pre3, 0.12rc1, or even 0.12.0.  This branch also
 includes the changes listed under ``ELinks 0.11.5.GIT'' below.

+* critical: Fix assertion failure if IMG/@usemap refers to a different
+  file.
 * Preserve newlines in hidden input fields, and submit them as CRLF.
  Previously, they could turn into spaces or disappear entirely.
 * Perl scripts can use modules that dynamically load C libraries, like
--- a/src/session/session.c
+++ b/src/session/session.c
@ -518,17 +518,23 @@ maybe_pre_format_html(struct cache_entry *cached, struct session *ses)
 	 * were 0, it could then be freed, and the
 	 * cached->preformatted assignment at the end of this function
 	 * would crash.  Normally, the document has a reference to the
-	 * cache entry, and that suffices.  If the following assertion
-	 * ever fails, object_lock(cached) and object_unlock(cached)
-	 * must be added to this function.  */
-	assert(cached->object.refcount > 0);
-	if_assert_failed return;
+	 * cache entry, and that suffices.  However, if the cache
+	 * entry was loaded to satisfy e.g. USEMAP="imgmap.html#map",
+	 * then cached->object.refcount == 0 here, and must be
+	 * incremented.
+	 * 
+	 * cached->object.refcount == 0 is safe while the cache entry
+	 * is being loaded, because garbage_collection() calls
+	 * is_entry_used(), which checks whether any connection is
+	 * using the cache entry.  But loading has ended before this
+	 * point.  */
+	object_lock(cached);

 	fragment = get_cache_fragment(cached);
-	if (!fragment) return;
+	if (!fragment) goto unlock_and_return;

 	/* We cannot do anything if the data are fragmented. */
-	if (!list_is_singleton(cached->frag)) return;
+	if (!list_is_singleton(cached->frag)) goto unlock_and_return;

 	set_event_id(pre_format_html_event, "pre-format-html");
 	trigger_event(pre_format_html_event, ses, cached);
@ -536,6 +542,9 @@ maybe_pre_format_html(struct cache_entry *cached, struct session *ses)
 	/* XXX: Keep this after the trigger_event, because hooks might call
 	 * normalize_cache_entry()! */
 	cached->preformatted = 1;
+
+unlock_and_return:
+	object_unlock(cached);
 }
 #endif

--- a/test/imgmap2.html
+++ b/test/imgmap2.html
@ -1,5 +1,6 @@
-<TITLE>Double-free crash in USEMAP</TITLE>
-<P><IMG src="/dev/null" usemap="#crasher"></P>
-<MAP name="crasher">
-<AREA shape="rect" coords="42,42,69,69" href="http://elinks.cz/" alt="see this?">
-<!-- no newline at the end of this line --></MAP>
+<TITLE>Crashes in client-side image maps</TITLE>
+<P><IMG src="image.png" usemap="imgmap.html#map" alt="ImageMap"> in another file</P>
+<P><IMG src="image.png" usemap="#at_eof" alt="ImageMap"> at the very end of this file</P>
+<MAP name="at_eof">
+<AREA shape="rect" coords="12,1, 30,18" href="http://elinks.cz/" alt="see this?">
+<!-- no newline at the end of this line --></MAP>