Skip to content

[BUG] out of bound write in checkType, etc.c:441 #242

Closed
@kdsjZh

Description

Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.

step to reproduce

export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8
./w3m $POC

Environment

  • Ubuntu 22.04 (docker image)
  • w3m latest commit c515ea8
  • gcc 11.2.0

ASan log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
==1795279==The signal is caused by a WRITE memory access.
==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
    #1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
    #2 0x563981110094 in loadSomething /validate/w3m/file.c:230
    #3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
    #4 0x5639810ab87d in main /validate/w3m/main.c:1053
    #5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
==1795279==ABORTING

Credit

Han Zheng
NCNIPC of China
Hexhive

POC

poc0.zip

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions