OOB write bug found via Strgrow at Str.c.

[TimChan2001]

Hi, we found an OOB write bug via Strgrow at Str.c.

Reproduction

Build w3m with ASAN, then run

./w3m -dump $POC

We ran it on a 64-bit Ubuntu 20.04, and it also worked on Ubuntu 18.04.

ASAN Report

The POC can be found here. POC

AddressSanitizer:DEADLYSIGNAL
=================================================================
==23778==ERROR: AddressSanitizer: SEGV on unknown address 0x55b1f4ea3001 (pc 0x55b1f298b549 bp 0x7ffccd0e92e0 sp 0x7ffccd0e92c0 T0)
==23778==The signal is caused by a WRITE memory access.
    #0 0x55b1f298b548 in Strgrow /home/cyy/w3m/Str.c:306
    #1 0x55b1f28c551e in checkType /home/cyy/w3m/etc.c:507
    #2 0x55b1f28a4061 in loadBuffer /home/cyy/w3m/file.c:7727
    #3 0x55b1f2859174 in loadSomething /home/cyy/w3m/file.c:232
    #4 0x55b1f2869005 in loadGeneralFile /home/cyy/w3m/file.c:2288
    #5 0x55b1f282c56b in main /home/cyy/w3m/main.c:1061
    #6 0x7f3eb7de5082 in __libc_start_main ../csu/libc-start.c:308
    #7 0x55b1f282778d in _start (/home/cyy/w3m/w3m+0xae78d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/cyy/w3m/Str.c:306 in Strgrow
==23778==ABORTING

[rkta]

On Fri, Nov 17, 2023 at 12:52:47AM -0800, TimChan2001 wrote:

Hi, we found an OOB write bug via Strgrow at Str.c.

Reproduction

Build w3m with ASAN, then run

./w3m -dump $POC

We ran it on a 64-bit Ubuntu 20.04, and it also worked on Ubuntu 18.04.

ASAN Report

The POC can be found here. POC

Can not reproduce on current master.