Closed
Description
Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.
step to reproduce
export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8
./w3m $POC
Environment
- Ubuntu 22.04 (docker image)
- w3m latest commit c515ea8
- gcc 11.2.0
ASan log
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
==1795279==The signal is caused by a WRITE memory access.
==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
#1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
#2 0x563981110094 in loadSomething /validate/w3m/file.c:230
#3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
#4 0x5639810ab87d in main /validate/w3m/main.c:1053
#5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
==1795279==ABORTING
Credit
Han Zheng
NCNIPC of China
Hexhive
POC
Metadata
Assignees
Labels
No labels