OOB read bug found via Strnew_size at Str.c.

[TimChan2001]

Hi, we found an OOB read bug via Strnew_size at Str.c.

Reproduction

Build w3m with ASAN, then run

./w3m -dump $POC

We ran it on a 64-bit Ubuntu 20.04, and it also worked on Ubuntu 18.04.

ASAN Report

The POC can be found here. POC

AddressSanitizer:DEADLYSIGNAL
=================================================================
==24017==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f325c6c57b3 bp 0x000000000000 sp 0x7ffd23364ce0 T0)
==24017==The signal is caused by a READ memory access.
==24017==Hint: address points to the zero page.
    #0 0x7f325c6c57b2 in GC_malloc_kind (/lib/x86_64-linux-gnu/libgc.so.1+0x227b2)
    #1 0x56376586faf4 in Strnew_size /home/cyy/w3m/Str.c:61
    #2 0x5637658813bb in wc_conv_to_ces /home/cyy/w3m/libwc/conv.c:70
    #3 0x563765880b70 in wc_Str_conv /home/cyy/w3m/libwc/conv.c:23
    #4 0x56376578bd5e in _saveBuffer /home/cyy/w3m/file.c:7875
    #5 0x56376578c0e3 in saveBuffer /home/cyy/w3m/file.c:7893
    #6 0x5637657146cf in do_dump /home/cyy/w3m/main.c:1409
    #7 0x563765712baf in main /home/cyy/w3m/main.c:1115
    #8 0x7f325c4a5082 in __libc_start_main ../csu/libc-start.c:308
    #9 0x56376570d78d in _start (/home/cyy/w3m/w3m+0xae78d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libgc.so.1+0x227b2) in GC_malloc_kind
==24017==ABORTING

[rkta]

On Fri, Nov 17, 2023 at 01:01:33AM -0800, TimChan2001 wrote:

Hi, we found an OOB read bug via Strnew_size at Str.c.

Reproduction

Build w3m with ASAN, then run

./w3m -dump $POC

We ran it on a 64-bit Ubuntu 20.04, and it also worked on Ubuntu 18.04.

ASAN Report

The POC can be found here. POC

Can not reproduce on current master.