global-buffer-overflow write in formUpdateBuffer #29

Closed
kcwu opened this Issue Oct 3, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@kcwu
Contributor

kcwu commented Oct 3, 2016

input

00000000: 303c 6275 7474 6f6e 2076 616c 7565 3d27  0<button value='
00000010: 223e 3c69 6e74 6572 6e61 6c3e 273e 3c41  "><internal>'><A
00000020: 2068 7265 663d 3e3c 6832 3e3c 696e 7075   href=><h2><inpu
00000030: 7420 7479 7065 3d22 7261 6469 6f22 3e    t type="radio">

How to reproduce

Build with ASan:
export CC=clang-3.6
export CFLAGS='-g -O0 -fsanitize=address'
export ASAN_OPTIONS='abort_on_error=1:detect_leaks=0'
./configure --enable-image=no
make clean all

./w3m -T text/html -dump input

AddressSanitizer output

==2826401==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000a0eaa6 at pc 0x00000075f03c bp 0x7ffd06f92990 sp 0x7ffd06f92988
WRITE of size 1 at 0x000000a0eaa6 thread T0
    #0 0x75f03b in formUpdateBuffer /fuzz/w3m/form.c:448:6
    #1 0x7631ba in formResetBuffer /fuzz/w3m/form.c:272:2
    #2 0x5a4482 in loadHTMLBuffer /fuzz/w3m/file.c:6779:2
    #3 0x5aa4e0 in loadSomething /fuzz/w3m/file.c:224:16
    #4 0x595063 in loadGeneralFile /fuzz/w3m/file.c:2241:6
    #5 0x4f8bf9 in main /fuzz/w3m/main.c:1020:12
    #6 0x7f7afc164f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #7 0x447316 in _start (/fuzz/w3m/w3m.asan+0x447316)

0x000000a0eaa6 is located 58 bytes to the left of global variable '<string literal>' defined in 'buffer.c:62:21' (0xa0eae0) of size 7
  '<string literal>' is ascii string '*Null*'
0x000000a0eaa6 is located 5 bytes to the right of global variable '<string literal>' defined in 'buffer.c:18:18' (0xa0eaa0) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /fuzz/w3m/form.c:448 formUpdateBuffer
Shadow bytes around the buggy address:
  0x000080139d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080139d50: 00 00 00 00[01]f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x000080139d60: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9
  0x000080139d70: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x000080139d80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x000080139d90: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x000080139da0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2826401==ABORTING

gdb output

Program received signal SIGSEGV, Segmentation fault.
0x000000000044f4d9 in formUpdateBuffer (a=0x7e00d8, buf=0x7d3e00, form=0x7dfe00) at form.c:448
448                 buf->currentLine->lineBuf[spos] = ' ';
(gdb) p buf->currentLine
$1 = (Line *) 0x7d5de0
(gdb) p buf->currentLine->lineBuf
$2 = 0x495682 ""
(gdb) p spos
$3 = 6

found by afl-fuzz

tats added a commit that referenced this issue Oct 8, 2016

@tats

This comment has been minimized.

Show comment
Hide comment
@tats

tats Oct 8, 2016

Owner

Fixed, thank you.

Owner

tats commented Oct 8, 2016

Fixed, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment