How to reproduce:
$ echo -e '<table><b<>\x00<listing><select_int selectnumber=90000000000>' | ./w3m -T text/html -dump > /dev/null
Segmentation fault
$ echo -e '<table><b<>\x00<listing><select_int selectnumber=-90000>' | ./w3m -T text/html -dump > /dev/null
Segmentation fault
Here, selectnumber could be negative, or positive but overflows to negative.
The corresponding code snippet:
6033 if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
6034 && n_select < max_select) {
6035 select_option[n_select].first = NULL;
n_select is the selectnumber mentioned above. It will crash at line 6035.
Similar code pattern at line 6015:
if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
&n_textarea)
&& n_textarea < max_textarea) {
textarea_str[n_textarea] = Strnew();
this is found by afl-fuzz
How to reproduce:
Here,
selectnumbercould be negative, or positive but overflows to negative.The corresponding code snippet:
n_selectis theselectnumbermentioned above. It will crash at line 6035.Similar code pattern at line 6015:
this is found by afl-fuzz