The put_chars function in html_r.c in Twibright Links 2.14 allows remote attackers to cause a denial of service via a crafted HTML file.