Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crash after allocate string of negative size #33

kcwu opened this issue Nov 6, 2016 · 2 comments


None yet
2 participants
Copy link

commented Nov 6, 2016


00000000: 3c74 6162 6c65 3e3c 7461 626c 6520 6365  <table><table ce
00000010: 6c6c 7061 6464 696e 673d 3636 3036 3030  llpadding=660600
00000020: 3030 3030 3e30 3c74 643e 3c74 6578 7461  0000>0<td><texta
00000030: 7265 6120 726f 7773 3d34 3e3c 2f74 6162  rea rows=4></tab
00000040: 6c65 3c74 643e 3030                      le<td>00

crash location

Program received signal SIGSEGV, Segmentation fault.
0x000000000047967f in Strnew_size (n=-58) at Str.c:53
53  x->ptr[0] = '\0';
(gdb) p x->ptr
$1 = 0x0
(gdb) up
#1  0x000000000041e244 in flushline (h_env=0x7fff1b76ea60, obuf=0x7fff1b76ebf0, indent=0, force=0, width=-78) at file.c:2829
2829  o.line = Strnew_size(width + 20);
(gdb) bt
#0  0x000000000047967f in Strnew_size (n=-58) at Str.c:53
#1  0x000000000041e244 in flushline (h_env=0x7fff1b76ea60, obuf=0x7fff1b76ebf0, indent=0, force=0, width=-78) at file.c:2829
#2  0x000000000042c300 in HTMLlineproc0 (line=0x10ce1da "", h_env=0x7fff1b76ea60, internal=1) at file.c:6636
#3  0x0000000000442790 in do_refill (tbl=0x10ca2d0, row=0, col=1, maxlimit=-78) at table.c:798
#4  0x000000000044667b in renderTable (t=0x10ca2d0, max_width=23, h_env=0x7fff1b76f150) at table.c:1804
#5  0x0000000000445ea7 in renderCoTable (tbl=0x10c7e10, maxlimit=79) at table.c:1653
#6  0x00000000004465e8 in renderTable (t=0x10c7e10, max_width=78, h_env=0x7fff1b76f950) at table.c:1797
#7  0x000000000042b826 in HTMLlineproc0 (line=0x495779 "", h_env=0x7fff1b76f950, internal=1) at file.c:6444
#8  0x000000000042d3ec in completeHTMLstream (h_env=0x7fff1b76f950, obuf=0x7fff1b76fae0) at file.c:7013
#9  0x000000000042ddf7 in loadHTMLstream (f=0x7fff1b76ff70, newBuf=0x10c7770, src=0x0, internal=0) at file.c:7245
#10 0x000000000042c7db in loadHTMLBuffer (f=0x7fff1b76ff70, newBuf=0x10c7770) at file.c:6773
#11 0x0000000000416951 in loadSomething (f=0x7fff1b76ff70, loadproc=0x42c6c1 <loadHTMLBuffer>, defaultbuf=0x10c7770) at file.c:224
#12 0x000000000041c7c3 in loadGeneralFile (path=0x10c5160 "min/2", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#13 0x0000000000406fe2 in main (argc=5, argv=0x7fff1b770298, envp=0x7fff1b7702c8) at main.c:1020

With further debugging, I found the value -78 is coming from the result of LUsolve. At renderTable() line 1754 of table.c, the result of

1754             LUsolve(mat, pivot, t->vector, newwidth);
(gdb) p newwidth->ve[0]
$1 = -78.050371113549431

This is found by afl-fuzz.


This comment has been minimized.

Copy link
Contributor Author

commented Nov 6, 2016

Anyway, 6606000000 is larger than INT_MAX. At file.c line 5022,

parsedtag_get_value(tag, ATTR_CELLPADDING, &y);

the result of y is -1983934592.
if (y < 0) y = 0; can fix this problem.

tats added a commit that referenced this issue Nov 7, 2016


This comment has been minimized.

Copy link

commented Nov 7, 2016

if (y < 0) y = 0; can fix this problem.

Check added. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.