Hello,
I am interested in NetSurf development.
I saw there was preliminary support for video content, and have written
some code to make it work with newer versions of GStreamer,
although I do wonder whether GStreamer really fits as a NetSurf dependancy.
I'd like to further improve video playback support in NetSurf, but would
like to know whether there is already someone working on it and if I
could contribute.
There are some issues beyond pure playback: video playback creates a
need for some streaming option in the content fetchers, as it is not
possible (especially for memory-constrained devices) to load the
whole video in advance. If such an option would be considered,
I would also be willing to implement it.
Thanks,
avis137
Sunday, 28 September 2025
Thursday, 25 September 2025
[netsurf-dev] Help identifying cause of assert
Hi all
In the AmigaOS3 frontend I'm getting the following when visiting https://github.com/jens-maus/amissl (and other GitHub pages):
(0.000034) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bd06ac: layout failed
(0.230806) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bcdb94: layout failed
(0.341922) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bc4da4: layout failed
followed by the assert:
"containing_block->width != UNKNOWN_WIDTH" failed in file "content/handlers/html/layout.c", line 4481
As this works on the AmigaOS4 frontend and there is minimal difference in the layout/window related code, I'm at a loss as to what is causing it. Can anybody provide any pointers?
Chris
In the AmigaOS3 frontend I'm getting the following when visiting https://github.com/jens-maus/amissl (and other GitHub pages):
(0.000034) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bd06ac: layout failed
(0.230806) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bcdb94: layout failed
(0.341922) [ERR flex] content/handlers/html/layout_flex.c:246 layout_flex_item: box 0x42bc4da4: layout failed
followed by the assert:
"containing_block->width != UNKNOWN_WIDTH" failed in file "content/handlers/html/layout.c", line 4481
As this works on the AmigaOS4 frontend and there is minimal difference in the layout/window related code, I'm at a loss as to what is causing it. Can anybody provide any pointers?
Chris
Monday, 22 September 2025
[netsurf-users] Re: Question about security
Hi Michael,
Thanks, good to know CodeQL is running.
How do you feel about applying to OSS-fuzz for the library ?
Then we could have pretty good confidence in its safety.
I am able to build libcss outside of NetSURF using meson, so there is nothing stopping
us from doing this other than creating a corpus of test css files, and writing the fuzzer.
Best,
Aaron
On Saturday, September 20th, 2025 at 1:03 PM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,The issues detected by CodeQL appear under the security tab.Probably not available unless you're a member of the repo.You can read about it here:The analysis is enabled by a CI workflow:
https://github.com/netsurf-browser/libcss/blob/master/.github/workflows/static-analysis.yaml#L48There were three issues which I've squashed. I put the CodeQL Rule ID and description in the commit messages so you can see an example:Best regards,MichaelOn Wed, 17 Sept 2025 at 14:49, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hi Michael,Thanks, that helps. I looked at the Github mirror but CodeQL does not seem available - do you make this public elsewhere? The fact that libcss only does parsing and not rendering does reduce the attack surface, but there are a number of parsing vulnerabilities like ReDos that have affected other libraries such as WebKIT css parser.Best,AaronOn Wednesday, September 17th, 2025 at 9:29 AM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.And on the GitHub mirror we have CodeQL.Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.Best regards,MichaelOn Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
Saturday, 20 September 2025
[netsurf-users] Re: Question about security
Hi Aaron,
The issues detected by CodeQL appear under the security tab.
Probably not available unless you're a member of the repo.
You can read about it here:
The analysis is enabled by a CI workflow:
https://github.com/netsurf-browser/libcss/blob/master/.github/workflows/static-analysis.yaml#L48
https://github.com/netsurf-browser/libcss/blob/master/.github/workflows/static-analysis.yaml#L48
There were three issues which I've squashed. I put the CodeQL Rule ID and description in the commit messages so you can see an example:
Best regards,
Michael
On Wed, 17 Sept 2025 at 14:49, Aaron Boxer <dmarc-noreply@freelists.org> wrote:
Hi Michael,Thanks, that helps. I looked at the Github mirror but CodeQL does not seem available - do you make this public elsewhere? The fact that libcss only does parsing and not rendering does reduce the attack surface, but there are a number of parsing vulnerabilities like ReDos that have affected other libraries such as WebKIT css parser.Best,AaronOn Wednesday, September 17th, 2025 at 9:29 AM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.And on the GitHub mirror we have CodeQL.Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.Best regards,MichaelOn Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
Wednesday, 17 September 2025
[netsurf-users] Re: Question about security
Hi Michael,
Thanks, that helps. I looked at the Github mirror but CodeQL does not seem available - do you make this public elsewhere? The fact that libcss only does parsing and not rendering does reduce the attack surface, but there are a number of parsing vulnerabilities like ReDos that have affected other libraries such as WebKIT css parser.
Best,
Aaron
On Wednesday, September 17th, 2025 at 9:29 AM, Michael Drake <dmarc-noreply@freelists.org> wrote:
Hi Aaron,For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.And on the GitHub mirror we have CodeQL.Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.Best regards,MichaelOn Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
[netsurf-users] Re: Question about security
Hi Aaron,
For static analysis be have Coverity and Clang scan-build for libcss on Jenkins.
And on the GitHub mirror we have CodeQL.
Some of our libraries have been been fuzzed but I'm not sure if it's done routinely or ad-hoc. I'm also not sure if libcss was covered.
Best regards,
Michael
On Wed, 17 Sept 2025 at 14:20, Aaron Boxer <dmarc-noreply@freelists.org> wrote:
Hello!I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.Many Thanks,Aaron
[netsurf-users] Question about security
Hello!
I am interested in learning more about the safety and security of the NetSurf project in general, and the libcss library in particular. I don't see any CVEs listed for NetSurf, have there been any security incidents in the past, and is there any infrastructure in place like fuzzing or static analysis to mitigate standard C security issues like buffer overflow or use after free ?
I am interested in libcss in particular because I would like to use it in another project, GStreamer, which is part of many Linux distros; security is a big issue.
Many Thanks,
Aaron
Subscribe to:
Posts (Atom)