heap buffer overflow and bad pointer deref in conv_symbol()

[kcwu]

input

00000000: 3c74 6162 6c65 3e1b 3c61 3e30 3c74 6578  <table>.<a>0<tex
00000010: 7461 7265 6100 636f 6c73 3d32 3030 3e3c  tarea.cols=200><
00000020: 713c 7461 626c 653e 303c 7020 3d3e 303c  q<table>0<p =>0<
00000030: 6852 3e30 3c70 203d 3e30 3c70 0d3e 303c  hR>0<p =>0<p.>0<
00000040: 703e 303c 6852 3e30 3c70 3e30 3c68 523e  p>0<hR>0<p>0<hR>
00000050: 303c 7464 3e30 3c68 5220 616c 6967 6e3d  0<td>0<hR align=
00000060: 6d69 6464 6c65 3e30 3030 3030 1e30 3030  middle>00000.000
00000070: 3030 e430 3030 30ff 3030 3030 30a5 3030  00.0000.00000.00
00000080: 3030 303c 303c 3030 3030 3d30 3030 3030  000<0<0000=00000
00000090: 2f30 3030 3030 ff30 3030 3030            /00000.00000

gdb --args w3m -T text/html -dump file

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x0000000000479ffe in Strcat_charp (x=0x7f29a0, y=0x500000004 <error: Cannot access memory at address 0x500000004>) at Str.c:217
#2  0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
#3  0x000000000042eb4c in _saveBuffer (buf=0x7d4e00, l=0x7d6c60, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7647
#4  0x000000000042eca3 in saveBuffer (buf=0x7d4e00, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7668
#5  0x0000000000408002 in do_dump (buf=0x7d4e00) at main.c:1360
#6  0x0000000000407433 in main (argc=5, argv=0x7fffffffcde8, envp=0x7fffffffce18) at main.c:1066
(gdb) frame 2
#2  0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
7614                Strcat_charp(tmp, symbol[(int)c]);
(gdb) p symbol
$1 = (char **) 0x7ccd80
(gdb) p c
$2 = 81 'Q'

symbol is allocated in update_utf8_symbol(). Its size is only 46. So symbol[c] is heap buffer overflow read.

This is found by afl-fuzz.

[tats]

Fixed, thank you.