Closed
Description
input
00000000: 3c74 6162 6c65 3e1b 3c61 3e30 3c74 6578 <table>.<a>0<tex
00000010: 7461 7265 6100 636f 6c73 3d32 3030 3e3c tarea.cols=200><
00000020: 713c 7461 626c 653e 303c 7020 3d3e 303c q<table>0<p =>0<
00000030: 6852 3e30 3c70 203d 3e30 3c70 0d3e 303c hR>0<p =>0<p.>0<
00000040: 703e 303c 6852 3e30 3c70 3e30 3c68 523e p>0<hR>0<p>0<hR>
00000050: 303c 7464 3e30 3c68 5220 616c 6967 6e3d 0<td>0<hR align=
00000060: 6d69 6464 6c65 3e30 3030 3030 1e30 3030 middle>00000.000
00000070: 3030 e430 3030 30ff 3030 3030 30a5 3030 00.0000.00000.00
00000080: 3030 303c 303c 3030 3030 3d30 3030 3030 000<0<0000=00000
00000090: 2f30 3030 3030 ff30 3030 3030 /00000.00000
gdb --args w3m -T text/html -dump file
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x0000000000479ffe in Strcat_charp (x=0x7f29a0, y=0x500000004 <error: Cannot access memory at address 0x500000004>) at Str.c:217
#2 0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
#3 0x000000000042eb4c in _saveBuffer (buf=0x7d4e00, l=0x7d6c60, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7647
#4 0x000000000042eca3 in saveBuffer (buf=0x7d4e00, f=0x7ffff6ffe400 <_IO_2_1_stdout_>, cont=0) at file.c:7668
#5 0x0000000000408002 in do_dump (buf=0x7d4e00) at main.c:1360
#6 0x0000000000407433 in main (argc=5, argv=0x7fffffffcde8, envp=0x7fffffffce18) at main.c:1066
(gdb) frame 2
#2 0x000000000042ea11 in conv_symbol (l=0x7d6c60) at file.c:7614
7614 Strcat_charp(tmp, symbol[(int)c]);
(gdb) p symbol
$1 = (char **) 0x7ccd80
(gdb) p c
$2 = 81 'Q'
symbol is allocated in update_utf8_symbol(). Its size is only 46. So symbol[c] is heap buffer overflow read.
This is found by afl-fuzz.
Metadata
Metadata
Assignees
Labels
No labels