segfault for malform <input> tag

Question

segfault for malform <input> tag

Closed this issue 8 years ago · 1 comments

How to reproduce

$ echo '<input type=">">' |  ./w3m -T text/html -dump
segmentation fault (core dumped)

#0  0x000000000044f153 in formUpdateBuffer (a=0xe30000, buf=0xe22e00, form=0xe2ff80) at form.c:458
458                 p = form->value->ptr;
(gdb) p form
$1 = (FormItemList *) 0xe2ff80
(gdb) p form->value
$2 = (Str) 0x0
(gdb) bt
#0  0x000000000044f153 in formUpdateBuffer (a=0xe30000, buf=0xe22e00, form=0xe2ff80) at form.c:458
#1  0x000000000044e9cc in formResetBuffer (buf=0xe22e00, formitem=0xe210e0) at form.c:268
#2  0x000000000042c54e in loadHTMLBuffer (f=0x7ffca7a4db90, newBuf=0xe22e00) at file.c:6750
#3  0x000000000042ec9b in openGeneralPagerBuffer (stream=0xdbf1b0) at file.c:7765
#4  0x0000000000406bcd in main (argc=4, argv=0x7ffca7a4ddb8, envp=0x7ffca7a4dde0) at main.c:923

This is found by afl-fuzz.

Answer 1 · 2016-08-08T15:15:19.000Z

Fixed, thank you.