Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segfault due to write to lineBuf[-1] in addMultirowsForm #21

Closed
kcwu opened this issue Aug 19, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@kcwu
Copy link
Contributor

commented Aug 19, 2016

$ xxd crash
00000000: 303c 7461 626c 6520 7769 6474 683d 3230  0<table width=20
00000010: 3e30 3c74 6974 6c65 3e3c 6c69 7374 696e  >0<title><listin
00000020: 673e 3c62 6f64 793e 3c74 6162 6c65 3e3c  g><body><table><
00000030: 2f69 6e74 6572 6e61 6c3e 3c74 643e f830  /internal><td>.0
00000040: 30d1 3030 0430 30fa 3030 2030 303d 3030  0.00.00.00 00=00
00000050: 9b30 309b 3030 9b3c 696e 7465 726e 616c  .00.00.<internal
00000060: 3e3c 7465 7874 6172 6561 2072 6f77 733d  ><textarea rows=
00000070: 3230 3e                                  20>
$ gdb --args ./w3m -T text/html -dump crash
Program received signal SIGSEGV, Segmentation fault.
0x00000000004757ce in addMultirowsForm (buf=0x7d3e00, al=0x7f3540) at anchor.c:688
688                 l->lineBuf[pos - 1] = '[';
(gdb) p pos
$1 = 0
(gdb) bt
#0  0x00000000004757ce in addMultirowsForm (buf=0x7d3e00, al=0x7f3540) at anchor.c:688
#1  0x000000000042aaff in HTMLlineproc2body (buf=0x7d3e00, feed=0x4280d9 <textlist_feed>, llimit=-1) at file.c:6136
#2  0x000000000042ad0c in HTMLlineproc2 (buf=0x7d3e00, tl=0x7cc120) at file.c:6189
#3  0x000000000042def6 in loadHTMLstream (f=0x7fffffffd140, newBuf=0x7d3e00, src=0x0, internal=0) at file.c:7275
#4  0x000000000042c71f in loadHTMLBuffer (f=0x7fffffffd140, newBuf=0x7d3e00) at file.c:6772
#5  0x0000000000416a90 in loadSomething (f=0x7fffffffd140, loadproc=0x42c61d <loadHTMLBuffer>, defaultbuf=0x7d3e00) at file.c:224
#6  0x000000000041c8ae in loadGeneralFile (path=0x7c3b00 "exp", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2245
#7  0x0000000000407121 in main (argc=5, argv=0x7fffffffd468, envp=0x7fffffffd498) at main.c:1020

This is found by afl-fuzz

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 24, 2016

Hmm, unreproducible for me.

Could you please provide more information and/or patches
for the latest source?

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 28, 2016

I have tried to read code but didn't understand it yet.

Could you reproduce with following change?

diff --git a/anchor.c b/anchor.c
index 2d21bfa..9791a60 100644
--- a/anchor.c
+++ b/anchor.c
@@ -1,4 +1,5 @@
 /* $Id: anchor.c,v 1.33 2006/04/08 11:33:16 inu Exp $ */
+#include <assert.h>
 #include "fm.h"
 #include "myctype.h"
 #include "regex.h"
@@ -685,6 +686,7 @@ addMultirowsForm(Buffer *buf, AnchorList *al)
            a->hseq = a_form.hseq;
            a->y = a_form.y;
            a->end.pos = pos + ecol - col;
+            assert(pos > 1);
            l->lineBuf[pos - 1] = '[';
            l->lineBuf[a->end.pos] = ']';
            for (k = pos; k < a->end.pos; k++)

tats added a commit that referenced this issue Aug 29, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 29, 2016

Though still unreproducible, a workaround patch has been applied.

@tats tats closed this Aug 29, 2016

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 29, 2016

Since you still cannot reproduce, I will continue to investigate later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.