599724 – www-client/w3m-0.5.3-r8 button patch lacks a nil check for lookup of type. w3m crashes on typos.

Bug 599724 - www-client/w3m-0.5.3-r8 button patch lacks a nil check for lookup of type. w3m crashes on typos.

Summary: www-client/w3m-0.5.3-r8 button patch lacks a nil check for lookup of type. w3...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	CJK Team

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2016-11-14 18:46 UTC by bugs
Modified:	2016-12-04 15:20 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
The make-all-buttons-submit fix for convenience of other w3m users. (w3m-0.5.3-button.patch,13.99 KB, patch) 2016-11-16 16:21 UTC, bugs	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bugs 2016-11-14 18:46:44 UTC

Encountered this in a button tag where submit was typoed as sumbit - I actually wonder if it's the reason for some w3m crashes in the past.

echo '<button type="x">' | w3m -T text/html

Kaboom!

w3m-0.5.3-button.patch does:
+    char *p, *q, *r, *qq = NULL;
…
+    p = "submit";
+    parsedtag_get_value(tag, ATTR_TYPE, &p);


Unfortunately, the w3m parsing does this:
static char *_formtypetbl[] = {                                                                                                             
    "text", "password", "checkbox", "radio", "submit", "reset", "hidden",                                                                   
    "image", "select", "textarea", "button", "file", NULL                                                                                   
};                                                                                                                                          
and...
int                                                                                                                                         
formtype(char *typestr)                                                                                                                     
{                                                                                                                                           
    int i;                                                                                                                                  
    for (i = 0; _formtypetbl[i]; i++) {                                                                                                     
    if (!strcasecmp(typestr, _formtypetbl[i]))                                                                                              
        return i;                                                                                                                           
    }                                                                                                                                       
    return FORM_UNKNOWN;                                                                                                                    
}                                                                                                                                           
and returns NULL on FORM_UNKNOWN which is types it doesn't recognise.

So as a result the string gets set to null and promptly blows up the string formatting here.

+    Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=%s "
+                       "name=\"%s\" value=\"%s\">",
+                       cur_hseq++, cur_form_id, p, html_quote(r), qq));


A simple nil check and reassigning to "submit" oughta do the trick, but I just commented out the type fetch personally, since I figure any <button type="button"> is probably JS and maybe possibly can get the form to work if I pretend it is a submit.

Comment 1 bugs 2016-11-14 19:25:13 UTC

Followup:
replacing
+    parsedtag_get_value(tag, ATTR_TYPE, &p);
with
+    /*parsedtag_get_value(tag, ATTR_TYPE, &p);*/

in my local button patch and rebuilding eliminated the crash.

Comment 2 bugs 2016-11-16 16:21:56 UTC

Created attachment 453538 [details, diff]
The make-all-buttons-submit fix for convenience of other w3m users.

ebuild w3m-0.5.3-r8.ebuild manifest  will be needed if you're fixing it yourself.
And... Maybe it would be better to honour the button type w/ a nil check fallback to submit, but I really have no idea what w3m could usefully do w/ type="button" anyway

Comment 3 Jonas Stein gentoo-dev

2016-12-03 22:06:03 UTC

@cjk Should this patch sent to upstream too?

Comment 4 Yixun Lan archtester

2016-12-04 15:20:44 UTC

(In reply to Jonas Stein from comment #3)
> @cjk Should this patch sent to upstream too?

just checked, this patch is already included at upstream, and already included at =www-client/w3m-0.5.3-r9, so cheers

generally, I always think it's a good idea to work with upstream closely, push patches back, thus we carry less at downstream.. and have more clean ebuild