paths: Cannot open file '/home/magnus/.dillo/keysrc': No such file or directory
paths: Cannot open file '/usr/local/etc/dillo/keysrc': No such file or directory
paths: Using internal defaults...
paths: Cannot open file '/home/magnus/.dillo/domainrc': No such file or directory
paths: Cannot open file '/usr/local/etc/dillo/domainrc': No such file or directory
paths: Using internal defaults...
dillo_dns_init: Here we go! (threaded)
TLS library: OpenSSL 3.5.4 30 Sep 2025
Disabling cookies.
paths: Cannot open file '/home/magnus/.dillo/hsts_preload': No such file or directory
paths: Cannot open file '/usr/local/etc/dillo/hsts_preload': No such file or directory
paths: Using internal defaults...
Nav_open_url: new url='file:/home/magnus/crash-dillo/tls_openssl_uaf.html'
NumPendingStyleSheets=1
Dns_server [1]: 142.251.45.142 is 142.251.45.142
Dns_server [0]: detectportal.firefox.com is 34.107.221.82 2600:1901:0:38d7::
142.251.45.142: TLSv1.3, cipher TLS_AES_256_GCM_SHA384
sha256 2048-bit RSA: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
root: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
>>>> a_Nav_repush <<<<
Nav_open_url: new url='file:/home/magnus/crash-dillo/tls_openssl_uaf.html'
SSL_shutdown() failed with error:FFFFFFFF80000009:system library::Bad file descriptor for url: https://142.251.45.142/
a_Nav_expect_done: repush!
142.251.45.142: TLSv1.3, cipher TLS_AES_256_GCM_SHA384
sha256 2048-bit RSA: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
root: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fd 6 is done and failed
Connection disappeared. Too long with a popup popped up?
=================================================================
==22123==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030002dc209 at pc 0x56105f8309cd bp 0x7ffe64ac4540 sp 0x7ffe64ac4530
WRITE of size 1 at 0x5030002dc209 thread T0
    #0 0x56105f8309cc in Tls_connect /home/magnus/dillo/src/IO/tls_openssl.c:1233
    #1 0x56105f8309fa in Tls_connect_cb /home/magnus/dillo/src/IO/tls_openssl.c:1238
    #2 0x7f815a5e2989  (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
    #3 0x7f815a5820b5 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x420b5) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
    #4 0x7f815a58219c in Fl::wait() (/usr/lib64/libfltk.so.1.3+0x4219c) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
    #5 0x56105f740f2b in main /home/magnus/dillo/src/dillo.cc:621
    #6 0x7f8159d52bfb in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7f8159d52cb4 in __libc_start_main_impl ../csu/libc-start.c:360
    #8 0x56105f73def0 in _start ../sysdeps/x86_64/start.S:115

0x5030002dc209 is located 25 bytes inside of 32-byte region [0x5030002dc1f0,0x5030002dc210)
freed by thread T0 here:
    #0 0x7f815aef8818  (/usr/lib64/libasan.so.8+0xf8818) (BuildId: 4a8505bee5ce42b81c4c9e1235c2851911c68054)
    #1 0x56105f81c3ac in dFree (/home/magnus/dillo/src/dillo+0x2113ac) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #2 0x56105f82fd9e in Tls_close_by_key /home/magnus/dillo/src/IO/tls_openssl.c:1101
    #3 0x56105f83139d in a_Tls_openssl_close_by_fd /home/magnus/dillo/src/IO/tls_openssl.c:1374
    #4 0x56105f82b8d4 in a_Tls_close_by_fd /home/magnus/dillo/src/IO/tls.c:162
    #5 0x56105f825981 in Http_socket_free /home/magnus/dillo/src/IO/http.c:318
    #6 0x56105f829ee2 in a_Http_ccc /home/magnus/dillo/src/IO/http.c:920
    #7 0x56105f77358d in a_Chain_bcb (/home/magnus/dillo/src/dillo+0x16858d) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #8 0x56105f78cbf7 in a_Capi_ccc (/home/magnus/dillo/src/dillo+0x181bf7) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #9 0x56105f78a6ea in a_Capi_conn_abort_by_url (/home/magnus/dillo/src/dillo+0x17f6ea) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #10 0x56105f78c8bb in a_Capi_stop_client (/home/magnus/dillo/src/dillo+0x1818bb) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #11 0x56105f758cb7 in a_Bw_stop_clients (/home/magnus/dillo/src/dillo+0x14dcb7) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #12 0x56105f778835 in Nav_open_url (/home/magnus/dillo/src/dillo+0x16d835) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #13 0x56105f7792b9 in Nav_repush (/home/magnus/dillo/src/dillo+0x16e2b9) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #14 0x56105f7792e0 in Nav_repush_callback (/home/magnus/dillo/src/dillo+0x16e2e0) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #15 0x7f815a581fe3 in Fl::wait(double) (/usr/lib64/libfltk.so.1.3+0x41fe3) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)
    #16 0x56105f82e4a8 in Tls_check_cert_hostname /home/magnus/dillo/src/IO/tls_openssl.c:725
    #17 0x56105f82eca9 in Tls_examine_certificate /home/magnus/dillo/src/IO/tls_openssl.c:864
    #18 0x56105f830821 in Tls_connect /home/magnus/dillo/src/IO/tls_openssl.c:1206
    #19 0x56105f8309fa in Tls_connect_cb /home/magnus/dillo/src/IO/tls_openssl.c:1238
    #20 0x7f815a5e2989  (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)

previously allocated by thread T0 here:
    #0 0x7f815aef9cd7 in malloc (/usr/lib64/libasan.so.8+0xf9cd7) (BuildId: 4a8505bee5ce42b81c4c9e1235c2851911c68054)
    #1 0x56105f81c2fa in dMalloc (/home/magnus/dillo/src/dillo+0x2112fa) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #2 0x56105f81c375 in dMalloc0 (/home/magnus/dillo/src/dillo+0x211375) (BuildId: e0037263c7a2a686e2a3a065c9f3703fa201643b)
    #3 0x56105f82bd8e in Tls_conn_new /home/magnus/dillo/src/IO/tls_openssl.c:165
    #4 0x56105f830ce2 in a_Tls_openssl_connect /home/magnus/dillo/src/IO/tls_openssl.c:1286
    #5 0x56105f82b8bc in a_Tls_connect /home/magnus/dillo/src/IO/tls.c:149
    #6 0x56105f826eb1 in Http_connect_tls /home/magnus/dillo/src/IO/http.c:530
    #7 0x56105f827423 in Http_connect_socket_cb /home/magnus/dillo/src/IO/http.c:564
    #8 0x7f815a5e2989  (/usr/lib64/libfltk.so.1.3+0xa2989) (BuildId: f2ecde5004360c1836d560b4542938b912d24c33)

SUMMARY: AddressSanitizer: heap-use-after-free /home/magnus/dillo/src/IO/tls_openssl.c:1233 in Tls_connect
Shadow bytes around the buggy address:
  0x5030002dbf80: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x5030002dc000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x5030002dc080: fd fd fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x5030002dc100: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 fa
  0x5030002dc180: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
=>0x5030002dc200: fd[fd]fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x5030002dc280: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x5030002dc300: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x5030002dc380: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x5030002dc400: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x5030002dc480: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22123==ABORTING