segfault with incorrect form_int fid

$ echo "000<button value='\"><form_int fid=4'>00000000000000000000000000000000000000000000000000000000000000000000000000000"  | ./w3m -T text/html -dump
Program received signal SIGSEGV, Segmentation fault.
0x000000000042a90e in HTMLlineproc2body (buf=0x7cee00, feed=0x427fa1 <textlist_feed>, llimit=-1) at file.c:6117
6117            forms[form_id]->next = forms[form_id - 1];
(gdb) l 6116, 6117
6116        for (form_id = 1; form_id <= form_max; form_id++)
6117            forms[form_id]->next = forms[form_id - 1];
(gdb) p form_max
$4 = 4
(gdb) p form_id
$1 = 1
(gdb) p forms[1]
$2 = (FormList *) 0x0
(gdb) bt
#0  0x000000000042a90e in HTMLlineproc2body (buf=0x7cee00, feed=0x427fa1 <textlist_feed>, llimit=-1) at file.c:6117
#1  0x000000000042aba1 in HTMLlineproc2 (buf=0x7cee00, tl=0x7cc5e0) at file.c:6173
#2  0x000000000042dd6e in loadHTMLstream (f=0x7fffffffd120, newBuf=0x7cee00, src=0x0, internal=0) at file.c:7258
#3  0x000000000042c597 in loadHTMLBuffer (f=0x7fffffffd120, newBuf=0x7cee00) at file.c:6755
#4  0x0000000000416a40 in loadSomething (f=0x7fffffffd120, loadproc=0x42c4b2 <loadHTMLBuffer>, defaultbuf=0x7cee00) at file.c:224
#5  0x000000000041c7e6 in loadGeneralFile (path=0x7c3ae0 "/tmp/zshrj3HcP", current=0x0, referer=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, flag=0, request=0x0) at file.c:2241
#6  0x00000000004070d1 in main (argc=5, argv=0x7fffffffd448, envp=0x7fffffffd478) at main.c:1020

this is found by afl-fuzz

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

segfault with incorrect form_int fid #15

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

segfault with incorrect form_int fid #15

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions