aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:43:14 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:43:14 +0000
commit9d6b147df996ae28128d54e8a9dc92c4714b87d8 (patch)
treeff70b847a186f00ccd68af42329c3b4c13586093
parentNew patch 916_anchor.patch to fix heap write (diff)
downloadw3m-9d6b147df996ae28128d54e8a9dc92c4714b87d8.tar.gz
w3m-9d6b147df996ae28128d54e8a9dc92c4714b87d8.zip
New patch 917_strgrow.patch to fix potential heap buffer corruption
[CVE-2016-9442]
Diffstat (limited to '')
-rw-r--r--debian/patches/917_strgrow.patch20
-rw-r--r--debian/patches/series1
2 files changed, 21 insertions, 0 deletions
diff --git a/debian/patches/917_strgrow.patch b/debian/patches/917_strgrow.patch
new file mode 100644
index 0000000..ac646dc
--- /dev/null
+++ b/debian/patches/917_strgrow.patch
@@ -0,0 +1,20 @@
+Subject: Fix potential heap buffer corruption due to Strgrow
+Author: Kuang-che Wu <kcwu@google.com>
+Bug-Debian: https://github.com/tats/w3m/pull/27 [CVE-2016-9442]
+Origin: https://github.com/tats/w3m/pull/27/commits/c95a43dc92695464be11c8a51811aaa9761546e6
+
+diff --git a/Str.c b/Str.c
+index eff82a4..5287c0f 100644
+--- a/Str.c
++++ b/Str.c
+@@ -232,8 +232,8 @@ Strgrow(Str x)
+ {
+ char *old = x->ptr;
+ int newlen;
+- newlen = x->length * 6 / 5;
+- if (newlen == x->length)
++ newlen = x->area_size * 6 / 5;
++ if (newlen == x->area_size)
+ newlen += 2;
+ x->ptr = GC_MALLOC_ATOMIC(newlen);
+ x->area_size = newlen;
diff --git a/debian/patches/series b/debian/patches/series
index 2720145..223af6d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@
914_curline.patch
915_table-alt.patch
916_anchor.patch
+917_strgrow.patch