Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crash due to `bcopy` with negative size #13

Closed
kcwu opened this issue Aug 16, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@kcwu
Copy link
Contributor

commented Aug 16, 2016

How to reproduce

$ echo -e '<table><title><listing><body><table></internal>00000/000\n<td>000000<textarea rows=2>' | ./w3m -T text/html -dump
Program received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1653
1653    ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
(gdb) bt
#0  __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1653
#1  0x000000000044f003 in form_update_line (line=0x7d0ea0, str=0x7fffffffcc80, spos=10, epos=30, width=5, newline=1, password=0) at form.c:399
#2  0x000000000044f480 in formUpdateBuffer (a=0x7e7000, buf=0x7cee00, form=0x7e6f80) at form.c:482
#3  0x000000000044ea69 in formResetBuffer (buf=0x7cee00, formitem=0x7e4bc0) at form.c:268
#4  0x000000000042c5eb in loadHTMLBuffer (f=0x7fffffffd120, newBuf=0x7cee00) at file.c:6761
#5  0x0000000000416a40 in loadSomething (f=0x7fffffffd120, loadproc=0x42c4b2 <loadHTMLBuffer>, defaultbuf=0x7cee00) at file.c:224
#6  0x000000000041c7e6 in loadGeneralFile (path=0x7c3ae0 "", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#7  0x00000000004070d1 in main (argc=5, argv=0x7fffffffd448, envp=0x7fffffffd478) at main.c:1020
(gdb) up
#1  0x000000000044f003 in form_update_line (line=0x7d0ea0, str=0x7fffffffcc80, spos=10, epos=30, width=5, newline=1, password=0) at form.c:399
399         bcopy((void *)&line->lineBuf[epos], (void *)&buf[pos],
(gdb) l
394             if (*p == '\n')
395                 p++;
396         }
397         *str = p;
398
399         bcopy((void *)&line->lineBuf[epos], (void *)&buf[pos],
400               (line->len - epos) * sizeof(char));
401         bcopy((void *)&line->propBuf[epos], (void *)&prop[pos],
402               (line->len - epos) * sizeof(Lineprop));
403         line->lineBuf = buf;
(gdb) p line->len
$1 = 15
(gdb) p epos
$2 = 30

crash because bcopy with negative size.

this is found by afl-fuzz

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 17, 2016

another case (you can use xxd -r to revert to binary)

00000000: 3030 303c 6275 7474 6f6e 2076 616c 7565  000<button value
00000010: 3d27 223e 3c69 6e74 6572 6e61 6c3e 273e  ='"><internal>'>
00000020: 3030 3030 3030 3030 303c 6973 696e 6465  000000000<isinde
00000030: 783e                                     x>

tats added a commit that referenced this issue Aug 18, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 18, 2016

Fixed, thank you.

@tats tats closed this Aug 18, 2016

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2016

another case not fixed yet

00000000: 303c 7461 626c 653e 3c62 3c3e 003c 6c69  0<table><b<>.<li
00000010: 7374 696e 673e 3c69 6e74 6572 6e61 6c3e  sting><internal>
00000020: 3c69 6e70 7574 3e                        <input>

tats added a commit that referenced this issue Aug 29, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 29, 2016

another case not fixed yet

Fixed, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.