crash due to bcopy with negative size

[kcwu]

How to reproduce

$ echo -e '<table><title><listing><body><table></internal>00000/000\n<td>000000<textarea rows=2>' | ./w3m -T text/html -dump
Program received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1653
1653    ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
(gdb) bt
#0  __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1653
#1  0x000000000044f003 in form_update_line (line=0x7d0ea0, str=0x7fffffffcc80, spos=10, epos=30, width=5, newline=1, password=0) at form.c:399
#2  0x000000000044f480 in formUpdateBuffer (a=0x7e7000, buf=0x7cee00, form=0x7e6f80) at form.c:482
#3  0x000000000044ea69 in formResetBuffer (buf=0x7cee00, formitem=0x7e4bc0) at form.c:268
#4  0x000000000042c5eb in loadHTMLBuffer (f=0x7fffffffd120, newBuf=0x7cee00) at file.c:6761
#5  0x0000000000416a40 in loadSomething (f=0x7fffffffd120, loadproc=0x42c4b2 <loadHTMLBuffer>, defaultbuf=0x7cee00) at file.c:224
#6  0x000000000041c7e6 in loadGeneralFile (path=0x7c3ae0 "", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#7  0x00000000004070d1 in main (argc=5, argv=0x7fffffffd448, envp=0x7fffffffd478) at main.c:1020
(gdb) up
#1  0x000000000044f003 in form_update_line (line=0x7d0ea0, str=0x7fffffffcc80, spos=10, epos=30, width=5, newline=1, password=0) at form.c:399
399         bcopy((void *)&line->lineBuf[epos], (void *)&buf[pos],
(gdb) l
394             if (*p == '\n')
395                 p++;
396         }
397         *str = p;
398
399         bcopy((void *)&line->lineBuf[epos], (void *)&buf[pos],
400               (line->len - epos) * sizeof(char));
401         bcopy((void *)&line->propBuf[epos], (void *)&prop[pos],
402               (line->len - epos) * sizeof(Lineprop));
403         line->lineBuf = buf;
(gdb) p line->len
$1 = 15
(gdb) p epos
$2 = 30

crash because bcopy with negative size.

this is found by afl-fuzz

[kcwu]

another case (you can use xxd -r to revert to binary)

00000000: 3030 303c 6275 7474 6f6e 2076 616c 7565  000<button value
00000010: 3d27 223e 3c69 6e74 6572 6e61 6c3e 273e  ='"><internal>'>
00000020: 3030 3030 3030 3030 303c 6973 696e 6465  000000000<isinde
00000030: 783e                                     x>

[tats]

Fixed, thank you.

[kcwu]

another case not fixed yet

00000000: 303c 7461 626c 653e 3c62 3c3e 003c 6c69  0<table><b<>.<li
00000010: 7374 696e 673e 3c69 6e74 6572 6e61 6c3e  sting><internal>
00000020: 3c69 6e70 7574 3e                        <input>

[tats]

another case not fixed yet

Fixed, thank you.