Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segv in columnPos #89

Closed
kcwu opened this issue Feb 14, 2017 · 3 comments
Closed

segv in columnPos #89

kcwu opened this issue Feb 14, 2017 · 3 comments

Comments

@kcwu
Copy link
Contributor

kcwu commented Feb 14, 2017

input (xxd cases/tats-w3m-89)

00000000: 3c74 6162 6c65 3e30 3c63 6170 7469 6f6e  <table>0<caption
00000010: 3e3c 6834 3e3c 6275 7474 6f6e 206e 616d  ><h4><button nam
00000020: 653d 223e 2276 616c 7565 3d27 2272 6f77  e=">"value='"row
00000030: 733d 383c 2274 7970 653d 223e 273e       s=8<"type=">'>

how to reproduce:

ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 ./w3m-tats.asan -T text/html -dump cases/tats-w3m-89

stderr:

ASAN:DEADLYSIGNAL
=================================================================
==1554299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005ef25d bp 0x7fffcb53ed10 sp 0x7fffcb53eca0 T0)
==1554299==The signal is caused by a READ memory access.
==1554299==Hint: address points to the zero page.
    #0 0x5ef25c in columnPos /targets/w3m-tats/etc.c:70:19
    #1 0x64fb2b in formUpdateBuffer /targets/w3m-tats/form.c:487:9
    #2 0x65143a in formResetBuffer /targets/w3m-tats/form.c:272:2
    #3 0x57c038 in loadHTMLBuffer /targets/w3m-tats/file.c:6797:2
    #4 0x57f0a4 in loadSomething /targets/w3m-tats/file.c:224:16
    #5 0x573833 in loadGeneralFile /targets/w3m-tats/file.c:2241:6
    #6 0x51967c in main /targets/w3m-tats/main.c:1017:12
    #7 0x7f29d7170f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #8 0x41cf6b in _start (/w3m-tats.asan+0x41cf6b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /targets/w3m-tats/etc.c:70:19 in columnPos
==1554299==ABORTING

More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m

For your convenience,
gdbline:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-89

found by afl-fuzz

@kcwu
Copy link
Contributor Author

kcwu commented Feb 14, 2017

Program received signal SIGSEGV, Segmentation fault.
0x000000000043ccdd in columnPos (line=0x0, column=39) at etc.c:70
70          for (i = 1; i < line->len; i++) {
(gdb) p line
$1 = (Line *) 0x0
(gdb) bt
#0  0x000000000043ccdd in columnPos (line=0x0, column=39) at etc.c:70
#1  0x0000000000455d3b in formUpdateBuffer (a=0x7f3090, buf=0x7dde00, form=0x7f2e80) at form.c:487
#2  0x00000000004562f3 in formResetBuffer (buf=0x7dde00, formitem=0x7ee660) at form.c:272
#3  0x0000000000420ace in loadHTMLBuffer (f=0x7fffffffcad0, newBuf=0x7dde00) at file.c:6797
#4  0x0000000000421872 in loadSomething (f=0x7fffffffcad0, loadproc=0x420950 <loadHTMLBuffer>, defaultbuf=0x7dde00) at file.c:224
#5  0x000000000041e6f7 in loadGeneralFile (path=0x7cdf00 "cases/tats-w3m-89", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#6  0x0000000000406678 in main (argc=5, argv=0x7fffffffce48, envp=0x7fffffffce78) at main.c:1017

tats added a commit that referenced this issue Dec 26, 2017
@tats
Copy link
Owner

tats commented Dec 26, 2017

Fixed, thank you.

@tats tats closed this as completed Dec 26, 2017
@carnil
Copy link

carnil commented Jan 25, 2018

This issue has been assigned CVE-2018-6197

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants