Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack seems smashed with large image inside table #8

Closed
kcwu opened this issue Aug 11, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@kcwu
Copy link
Contributor

commented Aug 11, 2016

How to reproduce

$ echo '<table>0<td rowspan=0 colspan=30><img width=900000 src=0 height=0>'  | ./w3m -T text/html -dump > /dev/null
*** stack smashing detected ***: ./w3m terminated

The behavior is not stable. w3m sometimes crashes and sometimes doesn't.
Usually It just segfault and sometimes stack protector says stack smashed.

I haven't debugged it, so I don't know why it's unstable and how the stack smashed. Following is my steps to compile w3m:

env AFL_HARDEN=1 AFL_USE_ASAN=1 CC=afl-clang-fast ./configure --enable-image=no
make

This is found by afl-fuzz.

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 16, 2016

Feel free to let me know If you cannot reproduce this issue --- I could try to find more reliable input.

p.s. No hurry, I am not pushing you. Just friendly offer help if needed.

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 16, 2016

Unreproducible for my environment with a casual try.
So more information and/or patches are welcome.

@kcwu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 17, 2016

While I have seen lots of crashes with table colspan (actually, they are majority of crashes), I cannot always reproduce them. They seem sensitive to environment variable and compiler options, etc. With some environment, I can always reproduce crash. But it may not crash anymore if env changed.

I will try to produce reliable case. In the meantime, maybe you could fix #16. Hope fixing it will reduce non-deterministic factor.

tats added a commit that referenced this issue Aug 18, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 18, 2016

Fixed by #19

@tats tats closed this Aug 18, 2016

tats added a commit that referenced this issue Dec 18, 2016

Fix table rowspan and colspan
Origin: #19
Bug-Debian: #8 [CVE-2016-9422]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.