Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infinite loop in feed_textarea() #85

Closed
kcwu opened this issue Dec 16, 2016 · 3 comments
Closed

infinite loop in feed_textarea() #85

kcwu opened this issue Dec 16, 2016 · 3 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Dec 16, 2016

input (xxd cases/tats-w3m-85)

00000000: 3c6d 6574 6120 3d22 2263 6861 7273 6574  <meta =""charset
00000010: 3d75 7466 373e 3c74 6578 7461 7265 613e  =utf7><textarea>
00000020: 0d2b 4141 300d                           .+AA0.

how to reproduce:

./w3m-tats -T text/html -dump cases/tats-w3m-85

More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
gdb --args ./w3m-tats -T text/html -dump cases/tats-w3m-85

found by afl-fuzz
@kcwu
Copy link
Contributor Author

kcwu commented Dec 16, 2016

file.c

4089        while (*str) {
4090            if (*str == '&')
...
4092            else if (*str == '\n') {
...
4095            }
4096            else if (*str != '\r')
...
4098        }

if *str=='\r', the loop never breaks.

@kcwu
Copy link
Contributor Author

kcwu commented Dec 16, 2016

The same case. This variant hangs for original 0.5.3 as well.

00000000: 3c6d 6574 6120 6874 7470 2d65 7175 6976  <meta http-equiv
00000010: 3d22 636f 6e74 656e 742d 7479 7065 2263  ="content-type"c
00000020: 6f6e 7465 6e74 3d63 6861 7273 6574 3d75  ontent=charset=u
00000030: 7466 373e 3c74 6578 7461 7265 613e 0d2b  tf7><textarea>.+
00000040: 4141 300d                                AA0.

tats added a commit that referenced this issue Dec 17, 2016
@tats
Prevent infinite loop in feed_textarea()
7a2675b 
Bug-Debian: #85
@tats
Copy link
Owner

tats commented Dec 17, 2016

Fixed, thank you.

@tats tats closed this as completed Dec 17, 2016
tats added a commit that referenced this issue May 5, 2017
@tats
Fix multiple vulnerabilities (closes: #850432)
d73f74e 
- New patch 934_menu.patch to fix buffer overflow (#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (#62)
- New patch 936_metarefresh.patch to fix buffer overflow (#63)
- New patch 937_lineproc0.patch to fix buffer overflow (#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (#61)
- New patch 939_textarea.patch to fix buffer overflow (#58)
- New patch 940_tabattr.patch to fix buffer overflow (#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (#70)
- New patch 942_tridvalue.patch to fix buffer overflow (#71)
- New patch 943_pushlink.patch to fix buffer overflow (#64, #66)
- New patch 944_lineproc0.patch to fix use after free (#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (#57)
- New patch 946_strnewsize.patch to fix buffer overflow (#72)
- New patch 947_realcolumn.patch to fix buffer overflow (#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (#77)
- New patch 950_textarea.patch to fix infinite loop (#85)
- New patch 951_lineproc0.patch to fix use after free (#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (#68)
tats added a commit that referenced this issue May 5, 2017
@tats
Prevent infinite loop in feed_textarea()
e12f581 
Bug-Debian: #85
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7a2675b4a5680d44645e72c4ec1258746a6e1b66
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcwu @tats