stack-overflow in HTMLlineproc0
kcwu opened this issue · 3 comments
input (xxd cases/tats-w3m-198
)
00000000: 3c64 743e 3c2f 6464 3e30 3030 3030 3030 <dt></dd>0000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000020: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000040: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000050: 3030 3030 3030 3030 30 000000000
how to reproduce:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 ./w3m-tats.asan -T text/html -dump cases/tats-w3m-198
stderr:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4127742==ERROR: AddressSanitizer: stack-overflow on address 0x7fff22e35b08 (pc 0x000000433153 bp 0x7fff22e36350 sp 0x7fff22e35b10 T0)
#0 0x433153 in strlen (/w3m-tats.asan+0x433153)
#1 0x6c9b1f in Strnew_charp /fuzz/fuzzing-w3m/targets/w3m-tats/Str.c:81:9
#2 0x535ab3 in flushline /fuzz/fuzzing-w3m/targets/w3m-tats/file.c:2838:9
#3 0x56ed10 in HTMLlineproc0 /fuzz/fuzzing-w3m/targets/w3m-tats/file.c:6758:7
#4 0x56ed59 in HTMLlineproc0 /fuzz/fuzzing-w3m/targets/w3m-tats/file.c:6762:7
(skip)
SUMMARY: AddressSanitizer: stack-overflow (/w3m-tats.asan+0x433153) in strlen
==4127742==ABORTING
More detail to reproduce please see http://github.com/kcwu/fuzzing-w3m
For your convenience,
gdbline:
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 gdb --args ./w3m-tats.asan -T text/html -dump cases/tats-w3m-198
Found by AFL++
Honestly, I'm not sure what I was doing there. I know I was trying to avoid description titles being on the wrong indentation level, but using the previous one already achieved that... or at least now it does, I might have messed up a few things at first which made the NOINDENT macro necessary. Anyway, currently the only thing the macro achieves is as you described breaking </dd>
when called after <dl>
or <dt>
.
Long story short, replacing every instance of PUSH_ENV_NOINDENT with PUSH_ENV seems to fix the issue.