Crash visiting specific website

Backtrace is as follows.. not complete, I know, but I think it shows enough relevant details to be useful:

0x019e4801 in IA__g_hostname_to_ascii (hostname=0x8b263e0 "www.foo�bar.com")
    at /build/buildd/glib2.0-2.23.2/glib/ghostutils.c:402
402 /build/buildd/glib2.0-2.23.2/glib/ghostutils.c: No such file or directory.
 in /build/buildd/glib2.0-2.23.2/glib/ghostutils.c
(gdb) bt
#0 0x019e4801 in IA__g_hostname_to_ascii (
    hostname=0x8b263e0 "www.foo�bar.com")
    at /build/buildd/glib2.0-2.23.2/glib/ghostutils.c:402
#1 0x0191a870 in IA__g_resolver_lookup_by_name_async (resolver=0x81fe240,
    hostname=0x8b263e0 "www.foo�bar.com", cancellable=0x0,
    callback=0x176c390, user_data=0x8b975b8)
    at /build/buildd/glib2.0-2.23.2/gio/gresolver.c:323
#2 0x0176c266 in soup_address_resolve_async () from /usr/lib/libsoup-2.4.so.1
#3 0x0178d7c4 in soup_session_prepare_for_uri ()
   from /usr/lib/libsoup-2.4.so.1
#4 0x00cea19b in ?? () from /usr/lib/libwebkit-1.0.so.2
#5 0x00807c17 in ?? () from /usr/lib/libwebkit-1.0.so.2
#6 0x0075e897 in ?? () from /usr/lib/libwebkit-1.0.so.2
#7 0x0072e0d3 in ?? () from /usr/lib/libwebkit-1.0.so.2
#8 0x00845416 in ?? () from /usr/lib/libwebkit-1.0.so.2
#9 0x008582c4 in ?? () from /usr/lib/libwebkit-1.0.so.2
#10 0x0085bbf8 in ?? () from /usr/lib/libwebkit-1.0.so.2
#11 0x0085e285 in ?? () from /usr/lib/libwebkit-1.0.so.2
#12 0x00859b75 in ?? () from /usr/lib/libwebkit-1.0.so.2
#13 0x008a203c in ?? () from /usr/lib/libwebkit-1.0.so.2
#14 0x008fae38 in ?? () from /usr/lib/libwebkit-1.0.so.2
#15 0x008eaacd in ?? () from /usr/lib/libwebkit-1.0.so.2
#16 0x008e5321 in ?? () from /usr/lib/libwebkit-1.0.so.2
---Type <return> to continue, or q <return> to quit---
#17 0x00ced21e in ?? () from /usr/lib/libwebkit-1.0.so.2
#18 0x01791341 in ?? () from /usr/lib/libsoup-2.4.so.1
#19 0x019850ec in IA__g_cclosure_marshal_VOID__VOID (closure=0x81fe240,
    return_value=0x0, n_param_values=1, param_values=0x8b27c68,
    invocation_hint=0xbfffdb40, marshal_data=0x8b975b8)
    at /build/buildd/glib2.0-2.23.2/gobject/gmarshal.c:77
#20 0x01976e52 in IA__g_closure_invoke (closure=0x8ba4a48, return_value=0x0,
    n_param_values=1, param_values=0x8b27c68, invocation_hint=0xbfffdb40)
    at /build/buildd/glib2.0-2.23.2/gobject/gclosure.c:767
#21 0x0198d088 in signal_emit_unlocked_R (node=<value optimised out>,
    detail=<value optimised out>, instance=0x8b9d088, emission_return=0x0,
    instance_and_params=0x8b27c68)
    at /build/buildd/glib2.0-2.23.2/gobject/gsignal.c:3313
#22 0x0198e204 in IA__g_signal_emit_valist (instance=0x8b9d088, signal_id=414,
    detail=0,
    var_args=0xbfffdcfc "\364/z\001\364/z\001\210й\b(\335\377\277(fx\001\210й\b\210\177%\b{ox\001\364\257\232\001\364\257\232\001pox\001h\335\377\277\354P\230\001") at /build/buildd/glib2.0-2.23.2/gobject/gsignal.c:2976
#23 0x0198e6a6 in IA__g_signal_emit (instance=0x8b9d088, signal_id=414,
    detail=0) at /build/buildd/glib2.0-2.23.2/gobject/gsignal.c:3033
#24 0x0178275b in soup_message_finished () from /usr/lib/libsoup-2.4.so.1
#25 0x01786628 in ?? () from /usr/lib/libsoup-2.4.so.1
#26 0x019850ec in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b8b3d8,

Notice, that the www.foo�bar.com has a non-printable UTF-8 character.

Here is a better backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x019e4801 in IA__g_hostname_to_ascii (hostname=0x85ba9e8 "www.foo�bar.com")
    at /build/buildd/glib2.0-2.23.2/glib/ghostutils.c:402
402 /build/buildd/glib2.0-2.23.2/glib/ghostutils.c: No such file or directory.
 in /build/buildd/glib2.0-2.23.2/glib/ghostutils.c
(gdb) bt
#0 0x019e4801 in IA__g_hostname_to_ascii (hostname=0x85ba9e8 "www.foo�bar.com")
    at /build/buildd/glib2.0-2.23.2/glib/ghostutils.c:402
#1 0x0191a870 in IA__g_resolver_lookup_by_name_async (resolver=0x8181800,
    hostname=0x85ba9e8 "www.foo�bar.com", cancellable=0x0, callback=0x176c390, user_data=0x828e3b8)
    at /build/buildd/glib2.0-2.23.2/gio/gresolver.c:323
#2 0x0176c266 in soup_address_resolve_async () from /usr/lib/libsoup-2.4.so.1
#3 0x0178d7c4 in soup_session_prepare_for_uri () from /usr/lib/libsoup-2.4.so.1
#4 0x00cea19b in WebCore::prefetchDNS (hostname=...) at ../WebCore/platform/network/soup/DNSSoup.cpp:40
#5 0x00807c17 in WebCore::HTMLAnchorElement::parseMappedAttribute (this=0xb3356240, attr=0xb34df438)
    at ../WebCore/html/HTMLAnchorElement.cpp:282
#6 0x0075e897 in WebCore::StyledElement::attributeChanged (this=0xb3356240, attr=0xb34df438,
    preserveDecls=false) at ../WebCore/dom/StyledElement.cpp:190
#7 0x0072e0d3 in WebCore::Element::setAttributeMap (this=0xb3356240, list=...,
    scriptingPermission=WebCore::FragmentScriptingAllowed) at ../WebCore/dom/Element.cpp:668
#8 0x00845416 in WebCore::HTMLParser::parseToken (this=0xb666e6c0, t=0xb666c01c)
    at ../WebCore/html/HTMLParser.cpp:280
#9 0x008582c4 in WebCore::HTMLTokenizer::processToken (this=0xb666c000)
    at ../WebCore/html/HTMLTokenizer.cpp:1939
#10 0x0085bbf8 in WebCore::HTMLTokenizer::parseTag (this=0xb666c000, src=..., state=...)
    at ../WebCore/html/HTMLTokenizer.cpp:1511
#11 0x0085e285 in WebCore::HTMLTokenizer::write (this=0xb666c000, str=..., appendData=false)
    at ../WebCore/html/HTMLTokenizer.cpp:1762
#12 0x00859b75 in WebCore::HTMLTokenizer::executeExternalScriptsIfReady (this=0xb666c000)
    at ../WebCore/html/HTMLTokenizer.cpp:2093
#13 0x008a203c in WebCore::CachedScript::checkNotify (this=0xb6649c00) at ../WebCore/loader/CachedScript.cpp:105
#14 0x008fae38 in WebCore::Loader::Host::didFinishLoading (this=0xb662d540, loader=0xb66cc200)
    at ../WebCore/loader/loader.cpp:391
#15 0x008eaacd in WebCore::SubresourceLoader::didFinishLoading (this=0xb66cc200)
    at ../WebCore/loader/SubresourceLoader.cpp:184
#16 0x008e5321 in WebCore::ResourceLoader::didFinishLoading (this=0xb66cc200)
    at ../WebCore/loader/ResourceLoader.cpp:403
#17 0x00ced21e in finishedCallback (session=0x8180408, msg=0x85b8740, data=0xb66c2e80)
    at ../WebCore/platform/network/soup/ResourceHandleSoup.cpp:332
#18 0x01791341 in ?? () from /usr/lib/libsoup-2.4.so.1
#19 0x019850ec in IA__g_cclosure_marshal_VOID__VOID (closure=0x8180408, return_value=0x0, n_param_values=1,
    param_values=0x8729918, invocation_hint=0xbfffdb40, marshal_data=0x85fd980)
    at /build/buildd/glib2.0-2.23.2/gobject/gmarshal.c:77
#20 0x01976e52 in IA__g_closure_invok...

(gdb) print (char[])hostname[0]
$9 = "w"
(gdb) print (char[])hostname[1]
$10 = "w"
(gdb) print (char[])hostname[2]
$11 = "w"
(gdb) print (char[])hostname[3]
$12 = "."
(gdb) print (char[])hostname[4]
$13 = "f"
(gdb) print (char[])hostname[5]
$14 = "o"
(gdb) print (char[])hostname[6]
$15 = "o"
(gdb) print (char[])hostname[7]
$16 = <incomplete sequence \357>
(gdb) print (char[])hostname[8]
$17 = "\277"
(gdb) print (char[])hostname[9]
$18 = "\275"
(gdb) print (char[])hostname[10]
$19 = "b"
(gdb) print (char[])hostname[11]
$20 = "a"
(gdb) print (char[])hostname[12]
$21 = "r"

Funny this.. and I found the above website when looking at a concern I had regarding UTF-8 DNS, and phishing attacks.

It occurred to me that UTF-8 control codes, or other non-ASCII letters could be embedded in a domain, giving a domain which is representable in emails (such as a "paypal.com" link), which look 100% legitimate - but infact use different UTF-8 characters to direct to a fake website.

Off-topic, I know, but does anyone know if the DNS registries reject stuff like this?

​https://www.pay​pal.com
There is a zero-width space character inbetween pay and pal

Epiphany doesn't appear to strip it, you just get a "not found" error:

Problem occurred while loading the URL http://https//www.pay%E2%80%8Bpal.com
Cannot resolve hostname

Scary times ahead if this kind of encoding can get through into the DNS servers!!

Anyhow.. looks like the crash bug is in glib, will add to the bug

Thank you for your bug report. The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

crashing in a glib function doesn't mean that the issue is a glib bug, it could be the caller passing uncorrect values to it

Well, noting that the function has a single argument, and that doesn't cause any access errors when printing it, I would imagine the glib implementation is the issue.

#0 0x019e4801 in IA__g_hostname_to_ascii (
    hostname=0x8b263e0 "www.foo�bar.com"

Well, noting that the function has a single argument, and that doesn't cause any access errors when printing it, I would imagine the glib implementation is the issue.

#0 0x019e4801 in IA__g_hostname_to_ascii (
    hostname=0x8b263e0 "www.foo�bar.com"

This is now fixed in glib git:

commit 27a080537efdb8660c62445427b53fc29735f304
Author: Dan Winship <email address hidden>
Date: Mon Feb 1 18:11:43 2010 -0500

    ghostutils: Fix a crash and add some tests

    https://bugzilla.gnome.org/show_bug.cgi?id=608743

Marking it as fix committed then, thanks all.

This bug was fixed in the package glib2.0 - 2.23.3-0ubuntu1

---------------
glib2.0 (2.23.3-0ubuntu1) lucid; urgency=low

  * New upstream version:
    - GLib now has a facility for locks that consume only one bit of
      storage inside an integer: g_bit_lock
    - GVariant: The serializer has been merged, with more API to follow
    - Bugs fixed
      548967 1 bit mutex lock
      604967 2.22.3 libasyncns build fails on HP-UX 11.11
      608602 G_VALUE_COLLECT_INIT variables shadow those in G_VALUE_COLLECT
      608743 Crash in g_hostname_to_ascii visiting certain website in epiphany
      (lp: #514484)
      599197 array ref and unref functions crash on NULL array.
      608159 mem leak in g_io_modules_scan_all_in_directory
    - Translation updates
  * debian/libglib2.0-0.symbols:
    - new version update
 -- Sebastien Bacher <email address hidden> Tue, 09 Feb 2010 18:20:13 +0100