Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null pointer deref due to bad form id in HTMLlineproc2body() #39

Closed
kcwu opened this issue Nov 13, 2016 · 1 comment
Closed

null pointer deref due to bad form id in HTMLlineproc2body() #39

kcwu opened this issue Nov 13, 2016 · 1 comment

Comments

@kcwu
Copy link
Contributor

kcwu commented Nov 13, 2016
edited
Loading

input

00000000: 303c 6275 7474 6f6e 2076 616c 7565 3d27  0<button value='
00000010: 223e 3c69 6e70 7574 5f61 6c74 2066 6964  "><input_alt fid
00000020: 3d36 3e3c 666f 726d 5f69 6e74 2066 6964  =6><form_int fid
00000030: 3d36 3027 3e30 3030 3030 3030 3030 3030  =60'>00000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 30                             00000

gdb --args w3m -T text/html -dump file

Program received signal SIGSEGV, Segmentation fault.
0x0000000000429ca0 in HTMLlineproc2body (buf=0x7d4e00, feed=0x428395 <textlist_feed>, llimit=-1) at file.c:5862
5862                            if (!form->target)
(gdb) p form
$1 = (FormList *) 0x0
(gdb) bt
#0  0x0000000000429ca0 in HTMLlineproc2body (buf=0x7d4e00, feed=0x428395 <textlist_feed>, llimit=-1) at file.c:5862
#1  0x000000000042afd6 in HTMLlineproc2 (buf=0x7d4e00, tl=0x7cd280) at file.c:6197
#2  0x000000000042e1f4 in loadHTMLstream (f=0x7fffffffcac0, newBuf=0x7d4e00, src=0x0, internal=0) at file.c:7285
#3  0x000000000042ca01 in loadHTMLBuffer (f=0x7fffffffcac0, newBuf=0x7d4e00) at file.c:6779
#4  0x0000000000416b3f in loadSomething (f=0x7fffffffcac0, loadproc=0x42c8e7 <loadHTMLBuffer>, defaultbuf=0x7d4e00) at file.c:224
#5  0x000000000041c9b1 in loadGeneralFile (path=0x7c4b00 "min/10", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#6  0x00000000004071c1 in main (argc=5, argv=0x7fffffffcde8, envp=0x7fffffffce18) at main.c:1020

I found form is obtained by form[form_id] earlier

5836                            if (form_id < 0 || form_id > form_max || forms == NULL)
5837                                break;      /* outside of <form>..</form> */
5838                            form = forms[form_id];
(gdb) p form_id
$3 = 6
(gdb) p form_max
$4 = 60

Although the value of form_id is validated but form_max is incorrectly obtained from user input.

This is found by afl-fuzz.
tats added a commit that referenced this issue Nov 14, 2016
@tats
Prevent null pointer deref due to bad form id
9db4380 
Bug-Debian: #39
@tats
Copy link
Owner

tats commented Nov 14, 2016

Fixed, thank you.

@tats tats closed this as completed Nov 14, 2016
tats added a commit that referenced this issue Dec 18, 2016
@tats
Prevent null pointer deref due to bad form id
874998a 
Bug-Debian: #39
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9db438094e5f0d84842bcbd248f282594ccb3c89
@rkta rkta mentioned this issue Feb 12, 2022
Closed
@rkta rkta mentioned this issue Aug 1, 2023
Open
This was referenced Aug 8, 2023
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats