00000000: 303c 6275 7474 6f6e 2076 616c 7565 3d27  0<button value='
00000010: 223e 3c69 6e74 6572 6e61 6c3e 273e 3c41  "><internal>'><A
00000020: 2068 7265 663d 3e3c 6832 3e3c 696e 7075   href=><h2><inpu
00000030: 7420 7479 7065 3d22 7261 6469 6f22 3e    t type="radio">

Build with ASan:
export CC=clang-3.6
export CFLAGS='-g -O0 -fsanitize=address'
export ASAN_OPTIONS='abort_on_error=1:detect_leaks=0'
./configure --enable-image=no
make clean all

./w3m -T text/html -dump input

==2826401==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000a0eaa6 at pc 0x00000075f03c bp 0x7ffd06f92990 sp 0x7ffd06f92988
WRITE of size 1 at 0x000000a0eaa6 thread T0
    #0 0x75f03b in formUpdateBuffer /fuzz/w3m/form.c:448:6
    #1 0x7631ba in formResetBuffer /fuzz/w3m/form.c:272:2
    #2 0x5a4482 in loadHTMLBuffer /fuzz/w3m/file.c:6779:2
    #3 0x5aa4e0 in loadSomething /fuzz/w3m/file.c:224:16
    #4 0x595063 in loadGeneralFile /fuzz/w3m/file.c:2241:6
    #5 0x4f8bf9 in main /fuzz/w3m/main.c:1020:12
    #6 0x7f7afc164f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #7 0x447316 in _start (/fuzz/w3m/w3m.asan+0x447316)

0x000000a0eaa6 is located 58 bytes to the left of global variable '<string literal>' defined in 'buffer.c:62:21' (0xa0eae0) of size 7
  '<string literal>' is ascii string '*Null*'
0x000000a0eaa6 is located 5 bytes to the right of global variable '<string literal>' defined in 'buffer.c:18:18' (0xa0eaa0) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /fuzz/w3m/form.c:448 formUpdateBuffer
Shadow bytes around the buggy address:
  0x000080139d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080139d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080139d50: 00 00 00 00[01]f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x000080139d60: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9
  0x000080139d70: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x000080139d80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x000080139d90: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x000080139da0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2826401==ABORTING

Program received signal SIGSEGV, Segmentation fault.
0x000000000044f4d9 in formUpdateBuffer (a=0x7e00d8, buf=0x7d3e00, form=0x7dfe00) at form.c:448
448                 buf->currentLine->lineBuf[spos] = ' ';
(gdb) p buf->currentLine
$1 = (Line *) 0x7d5de0
(gdb) p buf->currentLine->lineBuf
$2 = 0x495682 ""
(gdb) p spos
$3 = 6