segfault due to write to lineBuf[-1] in addMultirowsForm

[kcwu]

$ xxd crash
00000000: 303c 7461 626c 6520 7769 6474 683d 3230  0<table width=20
00000010: 3e30 3c74 6974 6c65 3e3c 6c69 7374 696e  >0<title><listin
00000020: 673e 3c62 6f64 793e 3c74 6162 6c65 3e3c  g><body><table><
00000030: 2f69 6e74 6572 6e61 6c3e 3c74 643e f830  /internal><td>.0
00000040: 30d1 3030 0430 30fa 3030 2030 303d 3030  0.00.00.00 00=00
00000050: 9b30 309b 3030 9b3c 696e 7465 726e 616c  .00.00.<internal
00000060: 3e3c 7465 7874 6172 6561 2072 6f77 733d  ><textarea rows=
00000070: 3230 3e                                  20>
$ gdb --args ./w3m -T text/html -dump crash
Program received signal SIGSEGV, Segmentation fault.
0x00000000004757ce in addMultirowsForm (buf=0x7d3e00, al=0x7f3540) at anchor.c:688
688                 l->lineBuf[pos - 1] = '[';
(gdb) p pos
$1 = 0
(gdb) bt
#0  0x00000000004757ce in addMultirowsForm (buf=0x7d3e00, al=0x7f3540) at anchor.c:688
#1  0x000000000042aaff in HTMLlineproc2body (buf=0x7d3e00, feed=0x4280d9 <textlist_feed>, llimit=-1) at file.c:6136
#2  0x000000000042ad0c in HTMLlineproc2 (buf=0x7d3e00, tl=0x7cc120) at file.c:6189
#3  0x000000000042def6 in loadHTMLstream (f=0x7fffffffd140, newBuf=0x7d3e00, src=0x0, internal=0) at file.c:7275
#4  0x000000000042c71f in loadHTMLBuffer (f=0x7fffffffd140, newBuf=0x7d3e00) at file.c:6772
#5  0x0000000000416a90 in loadSomething (f=0x7fffffffd140, loadproc=0x42c61d <loadHTMLBuffer>, defaultbuf=0x7d3e00) at file.c:224
#6  0x000000000041c8ae in loadGeneralFile (path=0x7c3b00 "exp", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2245
#7  0x0000000000407121 in main (argc=5, argv=0x7fffffffd468, envp=0x7fffffffd498) at main.c:1020

This is found by afl-fuzz

[tats]

Hmm, unreproducible for me.

Could you please provide more information and/or patches
for the latest source?

[kcwu]

I have tried to read code but didn't understand it yet.

Could you reproduce with following change?

diff --git a/anchor.c b/anchor.c
index 2d21bfa..9791a60 100644
--- a/anchor.c
+++ b/anchor.c
@@ -1,4 +1,5 @@
 /* $Id: anchor.c,v 1.33 2006/04/08 11:33:16 inu Exp $ */
+#include <assert.h>
 #include "fm.h"
 #include "myctype.h"
 #include "regex.h"
@@ -685,6 +686,7 @@ addMultirowsForm(Buffer *buf, AnchorList *al)
            a->hseq = a_form.hseq;
            a->y = a_form.y;
            a->end.pos = pos + ecol - col;
+            assert(pos > 1);
            l->lineBuf[pos - 1] = '[';
            l->lineBuf[a->end.pos] = ']';
            for (k = pos; k < a->end.pos; k++)

[tats]

Though still unreproducible, a workaround patch has been applied.

[kcwu]

Since you still cannot reproduce, I will continue to investigate later.