Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
heap corruption due to integer overflow in renderTable() #25
This bug is interesting since it triggered libgc's issue ivmai/bdwgc#135 as well.
How to reproduce
This demonstrate libgc's bug. n+1 == -3413. libgc treat it as
If continue to run
With further investigation, w3m's negative size comes from table.c, renderTable(), line 1733
found by afl-fuzz
5632662 comes from file.c 5016
I'm not familiar with html enough and don't know what is percentage larger than 100%. Maybe we should cap it to 100% ?