Bug#1119084: lynx: segfault on attempt to submit a form

[Thomas Dickey]

On Mon, Oct 27, 2025 at 12:35:43AM +0100, Thorsten Glaser wrote:
> On Sun, 26 Oct 2025, Thomas Dickey wrote:
> 
> >I need more detail to see how to exercise this.  #23 appears to be the
> 
> I can imagine… I needed to repro this on a non-classified box first.
> 
> >just gives me
> >     Edit the form's submit-URL:
> 
> I sometimes got that as well, but I got it now in a chroot.
> 
> I go to the URL, press PgDn once (34 line high terminal)
> and just :submit without even checking it. (That’s the
> checkbox below Du machst dir Gedanken über deine Bedrohungslage)
> 
> 1549                    *result = pfi->data;
> (gdb) bt
> #0  MakeFormAction (given=0x555555d8ac38, submit=submit@entry=1) at 
> ../../src/LYMainLoop.c:1549
> #1  0x00005555555e2f9e in handle_LYK_SUBMIT (cur=<optimized out>, 
>     refresh_screen=refresh_screen@entry=0x7fffffffddba "", doc=0x55555574f460 
> <newdoc>)
>     at ../../src/LYMainLoop.c:1567
> #2  0x00005555555e98f8 in mainloop () at ../../src/LYMainLoop.c:7478
> #3  0x00005555555af78e in main (argc=<optimized out>, argv=<optimized out>) 
> at ../../src/LYMain.c:2261
> (gdb) print pfi
> $1 = (PerFormInfo *) 0x0
> 
> I suspect what happens here is that that is a JS-only form
> so some structure is not initialised, and this lacks a nil
> pointer check. (Trying to submit outside of that form does
> correctly show an error message about that.)

thanks - I can get something like that (asan didn't help):

Program received signal SIGSEGV, Segmentation fault.
0x0000557b76830848 in MakeFormAction (given=0x5250001d5058,
    submit=submit@entry=1) at LYMainLoop.c:1549
1549                    *result = pfi->data;
(gdb) bt
#0  0x0000557b76830848 in MakeFormAction (given=0x5250001d5058,
    submit=submit@entry=1) at LYMainLoop.c:1549
#1  0x0000557b76830b8d in handle_LYK_SUBMIT (cur=<optimized out>,
    doc=doc@entry=0x557b76c91580 <newdoc>,
    refresh_screen=refresh_screen@entry=0x7fb745e01030 "") at LYMainLoop.c:1567
#2  0x0000557b7684b4fb in mainloop () at LYMainLoop.c:7478
#3  0x0000557b76828ba0 in main (argc=<optimized out>, argv=<optimized out>)
    at LYMain.c:2261

Retrying with optimization off:

Program received signal SIGSEGV, Segmentation fault.
0x00005602fc7f7861 in MakeFormAction (given=0x5250001d5058, submit=1)
    at LYMainLoop.c:1549
1549                    *result = pfi->data;
(gdb) bt
#0  0x00005602fc7f7861 in MakeFormAction (given=0x5250001d5058, submit=1)
    at LYMainLoop.c:1549
#1  0x00005602fc7f7bd0 in handle_LYK_SUBMIT (cur=0, 
    doc=0x5602fcd11300 <newdoc>, refresh_screen=0x7f0014101030 "")
    at LYMainLoop.c:1567
#2  0x00005602fc81cf43 in mainloop () at LYMainLoop.c:7478
#3  0x00005602fc7ea0c2 in main (argc=2, argv=0x7ffcda107168) at LYMain.c:2261

...the same place.  MakeFormAction could return a NULL, so... just adding
a null-pointer check for pfi before making that assignment "should" work.
Testing that change, I don't see an addtional problem.

-- 
Thomas E. Dickey <dic...@invisible-island.net>
https://invisible-island.net

signature.asc
Description: PGP signature