Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malform html tag may crash w3m #9

Closed
kcwu opened this issue Aug 12, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@kcwu
Copy link
Contributor

commented Aug 12, 2016

How to reproduce

 echo '0000000000000000000000000000000000000000000000000000000000000>000000000000000000<button type=>0<i></button><div>0' | ./w3m -T text/html -dump

gdb log

Program received signal SIGSEGV, Segmentation fault.
0x0000000000473b09 in onAnchor (a=0x3030303030, line=2, pos=18) at anchor.c:109
109         if (bpcmp(bp, a->start) < 0)
(gdb) p a
$1 = (Anchor *) 0x3030303030
(gdb) bt
#0  0x0000000000473b09 in onAnchor (a=0x3030303030, line=2, pos=18) at anchor.c:109
#1  0x0000000000474f53 in shiftAnchorPosition (al=0x7d5c40, hl=0x7d5ca0, line=2, pos=18, shift=18) at anchor.c:538
#2  0x000000000044f54f in formUpdateBuffer (a=0x7d9000, buf=0x7cde00, form=0x7d8f80) at form.c:490
#3  0x000000000044ea36 in formResetBuffer (buf=0x7cde00, formitem=0x7d5c40) at form.c:268
#4  0x000000000042c5b8 in loadHTMLBuffer (f=0x7fffffffd140, newBuf=0x7cde00) at file.c:6752
#5  0x0000000000416a40 in loadSomething (f=0x7fffffffd140, loadproc=0x42c47f <loadHTMLBuffer>, defaultbuf=0x7cde00) at file.c:224
#6  0x000000000041c7e6 in loadGeneralFile (path=0x7bcf00 "button-type.html", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#7  0x00000000004070d1 in main (argc=3, argv=0x7fffffffd468, envp=0x7fffffffd488) at main.c:1017

Looks like something overflow and overwrite "a" pointer.

This is found by afl-fuzz

tats added a commit that referenced this issue Aug 15, 2016

@tats

This comment has been minimized.

Copy link
Owner

commented Aug 15, 2016

Fixed, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.