diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:43:14 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:43:14 +0000 |
commit | 9d6b147df996ae28128d54e8a9dc92c4714b87d8 (patch) | |
tree | ff70b847a186f00ccd68af42329c3b4c13586093 | |
parent | New patch 916_anchor.patch to fix heap write (diff) | |
download | w3m-9d6b147df996ae28128d54e8a9dc92c4714b87d8.tar.gz w3m-9d6b147df996ae28128d54e8a9dc92c4714b87d8.zip |
New patch 917_strgrow.patch to fix potential heap buffer corruption
[CVE-2016-9442]
Diffstat (limited to '')
-rw-r--r-- | debian/patches/917_strgrow.patch | 20 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 21 insertions, 0 deletions
diff --git a/debian/patches/917_strgrow.patch b/debian/patches/917_strgrow.patch new file mode 100644 index 0000000..ac646dc --- /dev/null +++ b/debian/patches/917_strgrow.patch @@ -0,0 +1,20 @@ +Subject: Fix potential heap buffer corruption due to Strgrow +Author: Kuang-che Wu <kcwu@google.com> +Bug-Debian: https://github.com/tats/w3m/pull/27 [CVE-2016-9442] +Origin: https://github.com/tats/w3m/pull/27/commits/c95a43dc92695464be11c8a51811aaa9761546e6 + +diff --git a/Str.c b/Str.c +index eff82a4..5287c0f 100644 +--- a/Str.c ++++ b/Str.c +@@ -232,8 +232,8 @@ Strgrow(Str x) + { + char *old = x->ptr; + int newlen; +- newlen = x->length * 6 / 5; +- if (newlen == x->length) ++ newlen = x->area_size * 6 / 5; ++ if (newlen == x->area_size) + newlen += 2; + x->ptr = GC_MALLOC_ATOMIC(newlen); + x->area_size = newlen; diff --git a/debian/patches/series b/debian/patches/series index 2720145..223af6d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -52,3 +52,4 @@ 914_curline.patch 915_table-alt.patch 916_anchor.patch +917_strgrow.patch |