[bug #66004] recursive download crashes on html files bigger than INT_MAX

Fri, 19 Jul 2024 11:58:25 -0700 

URL:
  <https://savannah.gnu.org/bugs/?66004>

                 Summary: recursive download crashes on html files bigger than
INT_MAX
                   Group: GNU Wget
               Submitter: None
               Submitted: Fri 19 Jul 2024 06:57:40 PM UTC
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: Amy
        Originator Email: [email protected]
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 1.20
        Operating System: Mac OS
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: None
           Work Required: None
          Patch Included: No


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Fri 19 Jul 2024 06:57:40 PM UTC By: Anonymous
this affects 1.24.5, but versions newer than 1.20 don't seem to be in the
dropdown?

reproducible by using -r on a url that wget treats as html and has a size
which will become negative when casted from long to int (e.g. will crash with
a 3gb file, but not a 5gb one). it will segfault reading out of bounds on the
mapped file. seems this is because of map_html_tags size argument.

(while of course a 2+ gb html file is rare and i don't see how this would be
exploitable, a misconfigured server can result in binary files being parsed as
html, which is how i originally ran into this bug)

hope that helps!






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: macos@[email protected]  Size: 7KiB
<https://file.savannah.gnu.org/file/macos@[email protected]?file_id=56291>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-b921eb6f47f98f9b46802ed414f7b7f6c3798603.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66004>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Attachment: signature.asc
Description: PGP signature

Reply via email to