Open randomssr opened 1 year ago
On Sun, Jul 23, 2023 at 02:50:06AM -0700, randomssr wrote:
w3m heap-use-after-free Hello, w3m developers!
I found a heap-use-after-free in w3m. Please confirm.
Negative.
Thanks!
Test Environment Ubuntu 20.04, 64 bit w3m (version: w3m-0.5.3-git20220429;)
How to trigger Compile the program with AddressSanitizer Run command $ ./w3m -dump_source -halfload http://127.0.0.1
Can't reproduce.
Here is my compilation command.:
1、mkdir install
2、CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --prefix=`pwd`/install
3、make
4、make install
I can reproduce the bug through the following command:
$ ./w3m -dump_source -halfload http://127.0.0.1
And I also reproduce the bug in the latest version : 0.5.3-git20210102-deb11u1 Please confirm. Thanks!
On Mon, Jul 24, 2023 at 12:18:04AM -0700, randomssr wrote:
Here is my compilation command.:
1、mkdir install 2、CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" ./configure --prefix=`pwd`/install 3、make 4、make install
I can reproduce the bug through the following command:
$ ./w3m -dump_source -halfload http://127.0.0.1
And I also reproduce the bug in the latest version : 0.5.3-git20210102-deb11u1 Please confirm.
% ./w3m -dump_source -halfload http://localhost w3m: Can't load http://localhost.
I tried % ./w3m -dump_source -halfload http://localhost. And I also can get the same bug. Is it because we're compiling differently?
On Mon, Jul 24, 2023 at 03:35:19AM -0700, randomssr wrote:
I tried % ./w3m -dump_source -halfload http://localhost. And I also can get the same bug. Is it because we're compiling differently?
I followed your instructions. localhost is the same as 127.0.0.1.
As you seem to be using it, what does -halfload do? It isn't documented.
I just find the option from the source code. The option can assign "w3m_dump" and "w3m_halfload" Could you reproduce the bug? And if no, what’s your output?
On Mon, Jul 24, 2023 at 05:37:03AM -0700, randomssr wrote:
I just find the option from the source code. The option can assign "w3m_dump" and "w3m_halfload" Could you reproduce the bug?
Yes. You missed to mention the little detail, that you are running a web server locally.
To reproduce just connect to any web server using the halfload option. On Debian this reproduces without ASAN. The double free comes from the ISclose call in file.c:file_feed(). This seems to be borked from the beginning.
Yes. I missed the detail of running locally. Thank you for you reply!
We mentioned this missing option at https://github.com/tats/w3m/issues/260. We hope you can repair the help document or man page as well. Thank you!
On Mon, Jul 24, 2023 at 06:10:36AM -0700, randomssr wrote:
We mentioned this missing option at https://github.com/tats/w3m/issues/260. We hope you can repair the help document or man page as well. Thank you!
I have absolutely no idea what halfload is doing or what's the intended use-case - I can't fix the documentation.
I get it. Thank you for you timely reply!
On Mon, Jul 24, 2023 at 04:39:12PM +0200, Rene Kita wrote:
On Mon, Jul 24, 2023 at 06:10:36AM -0700, randomssr wrote:
We mentioned this missing option at https://github.com/tats/w3m/issues/260. We hope you can repair the help document or man page as well. Thank you!
I have absolutely no idea what halfload is doing or what's the intended use-case - I can't fix the documentation.
Now I have an idea. :)
As can be seen in Changelog.1: 2002-02-05 Hironori Sakamoto @.***>
* [w3m-dev 02991] form support in w3m -halfdump foo.html|w3m -halfload
The purpose of halfload is to read the output of halfdump. Looks like a debugging option for developers.
w3m heap-use-after-free Hello, w3m developers!
I found a heap-use-after-free in w3m. Please confirm. Thanks!
Test Environment Ubuntu 20.04, 64 bit w3m (version: w3m-0.5.3-git20220429;)
How to trigger Compile the program with AddressSanitizer Run command $ ./w3m -dump_source -halfload http://127.0.0.1 Details ASAN report $./w3m -dump_source -halfload http://127.0.0.1