[Lynx-dev] 3xcrash: NULL dereferencing and buffer overflows

[Ulf Harnhammar]

Hello,

I have found some NULL dereferencing bugs and buffer overflows in
lynx. They cause crashes under various circumstances. Despite being
buffer overflows, I see no security impact at all. The bugs affect
at least the versions 2.8.6dev.13 and 2.8.5. All patches are made
against 2.8.6dev.13.


1) NULL dereferencing crash with unexpected data from Gopher server

I have attached a fake Gopher server, lynx-gopher-crash.pl, that
illustrates this issue. Run it, connect to it with lynx (lynx
gopher://fake.server), select the Search menu item, press s, search
for something.. notice how lynx crashes.

The attached patch lynx.gophercrash.patch corrects this bug.


2) Buffer overflow when handling overly long prefix/suffix strings
in lynx.cfg

You can test this issue by applying the lynxcfg.prefixsuffix.patch
file to lynx.cfg and then using lynx to connect to a host with no
dots (lynx a).. notice how lynx crashes.

The attached patch lynx.prefixsuffixcrash.patch corrects this bug.


3) Buffer overflow when lex() parses data from files

I have attached the lynx.lexoverflow.patch file for this issue.


// Ulf Harnhammar

lynx-gopher-crash.pl
Description: Text Data

lynx.gophercrash.patch
Description: Text document

lynxcfg.prefixsuffix.patch
Description: Text document

lynx.prefixsuffixcrash.patch
Description: Text document

lynx.lexoverflow.patch
Description: Text document