Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer deref due to bad form id in HTMLlineproc2body() #39

Closed
kcwu opened this issue Nov 13, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@kcwu
Copy link
Contributor

commented Nov 13, 2016

input

00000000: 303c 6275 7474 6f6e 2076 616c 7565 3d27  0<button value='
00000010: 223e 3c69 6e70 7574 5f61 6c74 2066 6964  "><input_alt fid
00000020: 3d36 3e3c 666f 726d 5f69 6e74 2066 6964  =6><form_int fid
00000030: 3d36 3027 3e30 3030 3030 3030 3030 3030  =60'>00000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000050: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000060: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000070: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000080: 3030 3030 30                             00000

gdb --args w3m -T text/html -dump file

Program received signal SIGSEGV, Segmentation fault.
0x0000000000429ca0 in HTMLlineproc2body (buf=0x7d4e00, feed=0x428395 <textlist_feed>, llimit=-1) at file.c:5862
5862                            if (!form->target)
(gdb) p form
$1 = (FormList *) 0x0
(gdb) bt
#0  0x0000000000429ca0 in HTMLlineproc2body (buf=0x7d4e00, feed=0x428395 <textlist_feed>, llimit=-1) at file.c:5862
#1  0x000000000042afd6 in HTMLlineproc2 (buf=0x7d4e00, tl=0x7cd280) at file.c:6197
#2  0x000000000042e1f4 in loadHTMLstream (f=0x7fffffffcac0, newBuf=0x7d4e00, src=0x0, internal=0) at file.c:7285
#3  0x000000000042ca01 in loadHTMLBuffer (f=0x7fffffffcac0, newBuf=0x7d4e00) at file.c:6779
#4  0x0000000000416b3f in loadSomething (f=0x7fffffffcac0, loadproc=0x42c8e7 <loadHTMLBuffer>, defaultbuf=0x7d4e00) at file.c:224
#5  0x000000000041c9b1 in loadGeneralFile (path=0x7c4b00 "min/10", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#6  0x00000000004071c1 in main (argc=5, argv=0x7fffffffcde8, envp=0x7fffffffce18) at main.c:1020

I found form is obtained by form[form_id] earlier

5836                            if (form_id < 0 || form_id > form_max || forms == NULL)
5837                                break;      /* outside of <form>..</form> */
5838                            form = forms[form_id];
(gdb) p form_id
$3 = 6
(gdb) p form_max
$4 = 60

Although the value of form_id is validated but form_max is incorrectly obtained from user input.

This is found by afl-fuzz.

tats added a commit that referenced this issue Nov 14, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Nov 14, 2016

Fixed, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.