infinite recursion in HTMLlineproc0

[kcwu]

input (xxd cases/tats-w3m-88)

00000000: 3c74 6162 6c65 3e3c 756c 3e3c 7472 3e3c  <table><ul><tr><
00000010: 2f6f 6c3e 3c74 6162 6c65 3e30 3c63 6170  /ol><table>0<cap
00000020: 7469 6f6e 3e30 30                        tion>00

how to reproduce:

./w3m-tats -T text/html -dump cases/tats-w3m-88

found by afl-fuzz

[kcwu]

gdb stacktrace

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78800fe in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
(gdb) bt 50
#0  0x00007ffff78800fe in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#1  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#2  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#3  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#4  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#5  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#6  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#7  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#8  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#9  0x00007ffff787cdcc in GC_generic_malloc_many () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#10 0x00007ffff7885ab9 in GC_malloc () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#11 0x0000000000486ce4 in Strnew () at Str.c:39
#12 0x0000000000422aef in flushline (h_env=0x7fffffffb5b0, obuf=0x7fffffffb380, indent=-4, force=0, width=1) at file.c:2922
#13 0x000000000042df68 in HTMLlineproc0 (line=0x149fae2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6627
#14 0x000000000042df80 in HTMLlineproc0 (line=0x149faf2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#15 0x000000000042df80 in HTMLlineproc0 (line=0x149fb02 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#16 0x000000000042df80 in HTMLlineproc0 (line=0x149fb12 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#17 0x000000000042df80 in HTMLlineproc0 (line=0x149fb22 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#18 0x000000000042df80 in HTMLlineproc0 (line=0x149fb32 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#19 0x000000000042df80 in HTMLlineproc0 (line=0x149fb42 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#20 0x000000000042df80 in HTMLlineproc0 (line=0x149fb52 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#21 0x000000000042df80 in HTMLlineproc0 (line=0x149fb62 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#22 0x000000000042df80 in HTMLlineproc0 (line=0x149fb72 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#23 0x000000000042df80 in HTMLlineproc0 (line=0x149fb82 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#24 0x000000000042df80 in HTMLlineproc0 (line=0x149fb92 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#25 0x000000000042df80 in HTMLlineproc0 (line=0x149fba2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#26 0x000000000042df80 in HTMLlineproc0 (line=0x149fbb2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#27 0x000000000042df80 in HTMLlineproc0 (line=0x149fbc2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#28 0x000000000042df80 in HTMLlineproc0 (line=0x149fbd2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#29 0x000000000042df80 in HTMLlineproc0 (line=0x149fbe2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#30 0x000000000042df80 in HTMLlineproc0 (line=0x149fbf2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#31 0x000000000042df80 in HTMLlineproc0 (line=0x149fc02 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#32 0x000000000042df80 in HTMLlineproc0 (line=0x149fc12 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#33 0x000000000042df80 in HTMLlineproc0 (line=0x149fc22 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#34 0x000000000042df80 in HTMLlineproc0 (line=0x149fc32 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#35 0x000000000042df80 in HTMLlineproc0 (line=0x149fc42 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631

crash inside GC_clear_stack_inner because it failed to allocate stack.

[tats]

Fixed, thank you.

[carnil]

This issue has been assigned CVE-2018-6196

[BENZINALT]

REF ID:A4l.76
8
·1
safety- or defense he may order that the invention .1be kept
2
secret and vvithhold the grant of a paten~ for such period
3
or periods as in his opii1ion the national interest requires:
4
Prnvided, That the invention disclosed in· the application for
5
said patent may be held abandoned upon it being established
6
before or by the Commissioner that in violation of said order
7
said invention has been published or disclo.sed or that an
in
8
application for a patent therefor has been filed
a foreign
9
.country by the inventor or his assigns or legal representatives,
10
without the consent· or approval of . the Commissioner of
11
Patents-.
12 -
"When an applicant whose patent is withheld as herein
13
provided and who faithfully obeys the order of the Com-
14
missioner of Patents above referred to shall tender his inven-
15
tion to the Government of the United States for its use,
16
he shall, if and when he ultimately receives a patent, have _
J.;7
the right to sue for" compensation in the Court of Claims,
18
or in the district courts of the United States insofar as such
19
courts may have concurrent jurisdiction with the Court of
20
Claims, such right to compensation to begin from the date
21
of the use of the invention by the Government: Provided,
·22
That the Secretary of War or the Secretary of the Navy
23
or the chief officer -of any established defense agency of the
24
United States, as the case may be, is authorized to enter
25
into an agreement with the said applicant in full settlement