midori segfaults when click upper address input

Comment by Stéphane Marguet (Stemp) - Monday, 29 November 2010, 13:42 GMT+1
I can confirm a similar bug when typing in the location bar.

Midori cannot acces http://www.meteofrance.com/ and is transfered to http://token.meteofrance.com/?u=http%3A%2F%2Fwww.meteofrance.com%2F&s=sim-portail&x=%291%3E%FBm%EF%A9%DE with Forbidden «You don't have permission to access / on this server.» message.

Then if I'm trying to write me on the bar, midori is crashing :

(midori:32595): Gtk-WARNING **: Failed to set text from markup due to error parsing markup: Error on line 2 char 125: Invalid UTF-8 encoded text in name - not valid 'teofrance.com/?u=http://www.meteofrance.com/&s=sim-portail&x=)1>\xfbm\xef\xa9\xde'
Erreur de segmentation

Comment by Patrick Nicolas (xytovl) - Wednesday, 01 December 2010, 22:11 GMT+1
I have exactly the same error, and I can confirm the segmentation fault comes from the history db:
if I do a select * from history where uri like '%meteo%'; I get many results among which
http://token.meteofrance.com/?u=http%3A%2F%2Ffrance.meteofrance.com%2Ffrance%2Fmeteo%3FPREVISIONS_PORTLET.path%3Dprevisionsville%2F060040&s=sim-portail&x=k%FB%C5%F7b%EF%A9%DE|‪403 Forbidden|1291098727|734106
http://www.google.com/search?q=meteo%20antibes|‪meteo antibes - Google Search|1291098740|734106

After a delete from history where uri like '%meteo%'; there is no segmentation fault anymore. If you want the original history.db for testing, I can send it.

PS: midori is version 0.2.9 on Gentoo amd64, gtk+ 2.20.1 and webkit-gtk 1.2.3

I think https://bugs.launchpad.net/midori/+bug/700068 is a duplicate of this bug

1. Try to open url mentioned in 700068 (url is saved in history)
2. Than open new tab and type word: search
when typing browser crashed

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bb78e0 in append_escaped_text (text=<value optimized out>, length=<value optimized out>) at gmarkup.c:2044
2044 next = g_utf8_next_char (p);
(gdb) bt full
#0 0x00007ffff5bb88e0 in append_escaped_text (text=<value optimized out>, length=<value optimized out>) at gmarkup.c:2044
        next = <value optimized out>
        p = 0x3034000 <Address 0x3034000 out of bounds>
        end = 0x1eeee2e ""
        c = <value optimized out>
#1 g_markup_escape_text (text=<value optimized out>, length=<value optimized out>) at gmarkup.c:2120
        str = 0x23dd2a0
        __PRETTY_FUNCTION__ = "g_markup_escape_text"
#2 0x000000000044f480 in midori_location_entry_render_text_cb (layout=0x1f14bc0, renderer=0x1a2aee0, model=0x17eea10,
    iter=0x7fffffffbf00, data=0x15d9030) at ../midori/midori-locationaction.c:1160
        action = 0x15d9030
        uri_escaped = 0x1df8c00 "p\260\310\001"
        uri = 0x1eeede0 "http://search.tut.by/?status=1&encoding=1&page=0&how=rlv&query=\312\355\350\346\355\340\377+\377\360\354\356\360\352", <incomplete sequence \340>
        title = 0x284ad00 "‪TUT.BY | ПОИСК - Байнет - Книжная ярморка"
        style = 0
        desc = 0x0
        desc_uri = 0x1b2cd60 "http://<b>sear</b>"
        desc_iter = 0x1eeedeb "ch.tut.by/?status=1&encoding=1&page=0&how=rlv&query=\312\355\350\346\355\340\377+\377\360\354\356\360\352", <incomplete sequence \340>
        temp_iter = 0x26a9f0b "ch.tut.by/?status=1&encoding=1&page=0&how=rlv&query=\312\355\350\346\355\340\377+\377\360\354\356\360\352", <incomplete sequence \340>
        desc_title = 0x0
        str = 0x26c6a90 "sear"
        key = 0x0
        keys = 0x1cd64a0
        key_idx = 1
        start = 0x26a9f07 "search.tut.by/?status=1&encoding=1&page=0&how=rlv&query=\312\355\350\346\355\340\377+\377\360\354\356\360\352", <incomplete sequence \340>
        skey = 0x1b79f80 ""
        temp = 0x26a9f00 "http://search.tut.by/?status=1&encoding=1&page=0&how=rlv&query=\312\355\350\346\355\340\377+\377\360\354\356\360\352", <incomplete sequence \340>
        temp_concat = 0x7ffff73b3134 "\353+H\213E\350H\213@H\213U\314Hc\322H\301\342\003H\001\320H\213\bH\213U\300H\213E\360H\211\316H\211\307\350,\370\022"
        temp_markup = 0x7fffffffbd80 ""
        parts = 0x1f5a3f0
        offset = 11
#3 0x00007ffff7529fc7 in gtk_tree_view_column_cell_set_cell_data () from /usr/lib64/libgtk-x11-2.0.so.0
No symbol table info available.

After clearing of history ( delete from history where uri like '%search.tut.by%'; ) no crashes.

I can reproduce the bug. As far as I undestand, it happens because urls may contain non utf8 characters (encoded). Unfortunately, midori treats them as utf-8, and at some point, it crashes (when calling g_markup_escape_text actually). A fix could for example, store the encoding of a page when storing it's its uri, so it can be converted from that encoding to utf-8.

Here is a quick and dirty fix that does not unescape uri, when unescaped uri is not valid utf-8. It's not ideal (because for non utf-8 charsets, it would not unescape, or it could even escape in a wrong way), but it least, it prevents midori from crashing.

This seems to be the same bug that I reported on flyspray that was moved to Bug #706812
For the longest time I haven't used midori as it crashes within the first minute every time due to this.
However (though only briefly tested yet) applying the above "quick and dirty patch" seems to fix this for me.

Upps! That was declared a bit quick. Going to the uri below, then putting the cursor at the end of the uri in the address field and hit backspace key repeatedly, removing the uri char by char will (still) crash midori before the address field is blank....
http://www.aperitif.no/index.db2?id=11106

With the "Slightly better solution" patch I can't seem to crash Midori as described in my previous post anymore. So far it seems like a working fix.

The patch looks sensible, and while I was never able to reproduce it doesn't cause any harm. Thanks a lot!