Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

infinite recursion in HTMLlineproc0 #88

Closed
kcwu opened this issue Jan 22, 2017 · 3 comments
Closed

infinite recursion in HTMLlineproc0 #88

kcwu opened this issue Jan 22, 2017 · 3 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Jan 22, 2017

input (xxd cases/tats-w3m-88)

00000000: 3c74 6162 6c65 3e3c 756c 3e3c 7472 3e3c  <table><ul><tr><
00000010: 2f6f 6c3e 3c74 6162 6c65 3e30 3c63 6170  /ol><table>0<cap
00000020: 7469 6f6e 3e30 30                        tion>00

how to reproduce:

./w3m-tats -T text/html -dump cases/tats-w3m-88

found by afl-fuzz

@kcwu
Copy link
Contributor Author

kcwu commented Jan 22, 2017

gdb stacktrace

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78800fe in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
(gdb) bt 50
#0  0x00007ffff78800fe in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#1  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#2  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#3  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#4  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#5  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#6  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#7  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#8  0x00007ffff7880116 in GC_clear_stack_inner () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#9  0x00007ffff787cdcc in GC_generic_malloc_many () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#10 0x00007ffff7885ab9 in GC_malloc () from /usr/lib/x86_64-linux-gnu/libgc.so.1
#11 0x0000000000486ce4 in Strnew () at Str.c:39
#12 0x0000000000422aef in flushline (h_env=0x7fffffffb5b0, obuf=0x7fffffffb380, indent=-4, force=0, width=1) at file.c:2922
#13 0x000000000042df68 in HTMLlineproc0 (line=0x149fae2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6627
#14 0x000000000042df80 in HTMLlineproc0 (line=0x149faf2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#15 0x000000000042df80 in HTMLlineproc0 (line=0x149fb02 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#16 0x000000000042df80 in HTMLlineproc0 (line=0x149fb12 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#17 0x000000000042df80 in HTMLlineproc0 (line=0x149fb22 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#18 0x000000000042df80 in HTMLlineproc0 (line=0x149fb32 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#19 0x000000000042df80 in HTMLlineproc0 (line=0x149fb42 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#20 0x000000000042df80 in HTMLlineproc0 (line=0x149fb52 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#21 0x000000000042df80 in HTMLlineproc0 (line=0x149fb62 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#22 0x000000000042df80 in HTMLlineproc0 (line=0x149fb72 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#23 0x000000000042df80 in HTMLlineproc0 (line=0x149fb82 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#24 0x000000000042df80 in HTMLlineproc0 (line=0x149fb92 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#25 0x000000000042df80 in HTMLlineproc0 (line=0x149fba2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#26 0x000000000042df80 in HTMLlineproc0 (line=0x149fbb2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#27 0x000000000042df80 in HTMLlineproc0 (line=0x149fbc2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#28 0x000000000042df80 in HTMLlineproc0 (line=0x149fbd2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#29 0x000000000042df80 in HTMLlineproc0 (line=0x149fbe2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#30 0x000000000042df80 in HTMLlineproc0 (line=0x149fbf2 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#31 0x000000000042df80 in HTMLlineproc0 (line=0x149fc02 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#32 0x000000000042df80 in HTMLlineproc0 (line=0x149fc12 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#33 0x000000000042df80 in HTMLlineproc0 (line=0x149fc22 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#34 0x000000000042df80 in HTMLlineproc0 (line=0x149fc32 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631
#35 0x000000000042df80 in HTMLlineproc0 (line=0x149fc42 "", h_env=0x7fffffffb5b0, internal=1) at file.c:6631

crash inside GC_clear_stack_inner because it failed to allocate stack.

tats added a commit that referenced this issue Jan 20, 2018
@tats
Copy link
Owner

tats commented Jan 20, 2018

Fixed, thank you.

@tats tats closed this as completed Jan 20, 2018
@carnil
Copy link

carnil commented Jan 25, 2018

This issue has been assigned CVE-2018-6196

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants