Fix multiple vulnerabilities (closes: #850432)

- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
- New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
- New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
- New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
- New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
- New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
- New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
- New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
- New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
- New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
- New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
- New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (tats/w3m#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)

22 files changed, 710 insertions, 0 deletions

diff --git a/debian/patches/934_menu.patch b/debian/patches/934_menu.patch
new file mode 100644
index 0000000..b2421f6
--- /dev/null
+++ b/debian/patches/934_menu.patch
@@ -0,0 +1,25 @@
+Subject: Fix menu buffer-overflow
+From: Kuang-che Wu <kcwu@google.com>
+Bug-Debian: https://github.com/tats/w3m/pull/49
+Origin: https://github.com/tats/w3m/pull/49/commits/7e1c05dd90cf42a308e854881ea3813aed000d2e
+
+---
+ menu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/menu.c b/menu.c
+index 0f66583..6c5fee0 100644
+--- a/menu.c
++++ b/menu.c
+@@ -1692,7 +1692,7 @@ initMenu(void)
+     FILE *mf;
+     MenuList *list;
+ 
+-    w3mMenuList = New_N(MenuList, 3);
++    w3mMenuList = New_N(MenuList, 4);
+     w3mMenuList[0].id = "Main";
+     w3mMenuList[0].menu = &MainMenu;
+     w3mMenuList[0].item = MainMenuItem;
+-- 
+2.10.2
+
diff --git a/debian/patches/935_shiftanchor.patch b/debian/patches/935_shiftanchor.patch
new file mode 100644
index 0000000..7927290
--- /dev/null
+++ b/debian/patches/935_shiftanchor.patch
@@ -0,0 +1,26 @@
+Subject: Prevent negative array index for marks in shiftAnchorPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/62
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d57c13282afc6b7dca029f992331b7afa0413356
+
+---
+ anchor.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/anchor.c b/anchor.c
+index ecb211d..bed8db2 100644
+--- a/anchor.c
++++ b/anchor.c
+@@ -551,7 +551,8 @@ shiftAnchorPosition(AnchorList *al, HmarkerList *hl, int line, int pos,
+ 	    break;
+ 	if (a->start.pos > pos) {
+ 	    a->start.pos += shift;
+-	    if (hl && hl->marks && hl->marks[a->hseq].line == line)
++	    if (hl && hl->marks &&
++		a->hseq >= 0 && hl->marks[a->hseq].line == line)
+ 		hl->marks[a->hseq].pos = a->start.pos;
+ 	}
+ 	if (a->end.pos >= pos)
+-- 
+2.10.2
+
diff --git a/debian/patches/936_metarefresh.patch b/debian/patches/936_metarefresh.patch
new file mode 100644
index 0000000..0014c64
--- /dev/null
+++ b/debian/patches/936_metarefresh.patch
@@ -0,0 +1,28 @@
+Subject: Prevent negative array index in getMetaRefreshParam()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/63
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6c6a2cbced21ceec2fac08fba1ad271a77f9dbc2
+
+---
+ file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index e82eaf1..18b350a 100644
+--- a/file.c
++++ b/file.c
+@@ -4361,8 +4361,9 @@ getMetaRefreshParam(char *q, Str *refresh_uri)
+ 		r++;
+ 	    s_tmp = Strnew_charp_n(q, r - q);
+ 
+-	    if (s_tmp->ptr[s_tmp->length - 1] == '\"'          /* " */
+-	       || s_tmp->ptr[s_tmp->length - 1] == '\'') {     /* ' */
++	    if (s_tmp->length > 0 &&
++	        (s_tmp->ptr[s_tmp->length - 1] == '\"' ||	/* " */
++		 s_tmp->ptr[s_tmp->length - 1] == '\'')) {	/* ' */
+ 		s_tmp->length--;
+ 		s_tmp->ptr[s_tmp->length] = '\0';
+ 	    }
+-- 
+2.10.2
+
diff --git a/debian/patches/937_lineproc0.patch b/debian/patches/937_lineproc0.patch
new file mode 100644
index 0000000..34f5b63
--- /dev/null
+++ b/debian/patches/937_lineproc0.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative value of row for pushTable() in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/67
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=0e66622582db13c4ffeba38067e15efd2d68cd75
+
+---
+ file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/file.c b/file.c
+index 18b350a..6850db1 100644
+--- a/file.c
++++ b/file.c
+@@ -6404,6 +6404,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 		if (obuf->table_level >= 0) {
+ 		    struct table *tbl0 = tables[obuf->table_level];
+ 		    str = Sprintf("<table_alt tid=%d>", tbl0->ntable)->ptr;
++		    if (tbl0->row < 0)
++			continue;
+ 		    pushTable(tbl0, tbl);
+ 		    tbl = tbl0;
+ 		    tbl_mode = &table_mode[obuf->table_level];
+-- 
+2.10.2
+
diff --git a/debian/patches/938_lineproc2body.patch b/debian/patches/938_lineproc2body.patch
new file mode 100644
index 0000000..67d39d8
--- /dev/null
+++ b/debian/patches/938_lineproc2body.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for marks in HTMLlineproc2body()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/61
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=f34c37f3156d1578a53dccc582c83c88fff76f87
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 6850db1..c5aeb88 100644
+--- a/file.c
++++ b/file.c
+@@ -5699,7 +5699,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ 			a_href->end.pos = pos;
+ 			if (a_href->start.line == a_href->end.line &&
+ 			    a_href->start.pos == a_href->end.pos) {
+-			    if (buf->hmarklist &&
++			    if (buf->hmarklist && a_href->hseq >= 0 &&
+ 				a_href->hseq < buf->hmarklist->nmark)
+ 				buf->hmarklist->marks[a_href->hseq].invalid = 1;
+ 			    a_href->hseq = -1;
+-- 
+2.10.2
+
diff --git a/debian/patches/939_textarea.patch b/debian/patches/939_textarea.patch
new file mode 100644
index 0000000..fc6a011
--- /dev/null
+++ b/debian/patches/939_textarea.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index in process_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/58
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d7f55d5959c3e06e9f110f13def7ae9015882e1e
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index c5aeb88..330ae3a 100644
+--- a/file.c
++++ b/file.c
+@@ -3995,7 +3995,7 @@ process_textarea(struct parsed_tag *tag, int width)
+     cur_textarea_size = 20;
+     if (parsedtag_get_value(tag, ATTR_COLS, &p)) {
+ 	cur_textarea_size = atoi(p);
+-	if (p[strlen(p) - 1] == '%')
++	if (strlen(p) > 0 && p[strlen(p) - 1] == '%')
+ 	    cur_textarea_size = width * cur_textarea_size / 100 - 2;
+ 	if (cur_textarea_size <= 0) {
+ 	    cur_textarea_size = 20;
+-- 
+2.10.2
+
diff --git a/debian/patches/940_tabattr.patch b/debian/patches/940_tabattr.patch
new file mode 100644
index 0000000..56c85a8
--- /dev/null
+++ b/debian/patches/940_tabattr.patch
@@ -0,0 +1,25 @@
+Subject: Prevent array index out of bounds for tabattr in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/60
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a6ddc331e90698fa57732bd55f2e8407f3f32f7a
+
+---
+ table.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index c57187a..1a37772 100644
+--- a/table.c
++++ b/table.c
+@@ -2593,7 +2593,7 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ 	}
+ 	tbl->col++;
+ 	check_row(tbl, tbl->row);
+-	while (tbl->tabattr[tbl->row][tbl->col]) {
++	while (tbl->col < MAXCOL && tbl->tabattr[tbl->row][tbl->col]) {
+ 	    tbl->col++;
+ 	}
+ 	if (tbl->col > MAXCOL - 1) {
+-- 
+2.10.2
+
diff --git a/debian/patches/941_integeredwidth.patch b/debian/patches/941_integeredwidth.patch
new file mode 100644
index 0000000..660c327
--- /dev/null
+++ b/debian/patches/941_integeredwidth.patch
@@ -0,0 +1,34 @@
+Subject: Prevent negative array index in set_integered_width()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/70
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0
+
+---
+ table.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/table.c b/table.c
+index 1a37772..84e4bf6 100644
+--- a/table.c
++++ b/table.c
+@@ -961,7 +961,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+     for (step = 0; step < 2; step++) {
+ 	for (i = 0; i <= t->maxcol; i += n) {
+ 	    int nn;
+-	    char *idx;
++	    short *idx;
+ 	    double nsum;
+ 	    if (sum < 0.5)
+ 		return;
+@@ -982,7 +982,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+ 		    (double)rulewidth - mod[ii] > 0.5)
+ 		    fixed[ii] = 1;
+ 	    }
+-	    idx = NewAtom_N(char, n);
++	    idx = NewAtom_N(short, n);
+ 	    for (k = 0; k < cell->maxcell; k++) {
+ 		int kk, w, width, m;
+ 		j = cell->index[k];
+-- 
+2.10.2
+
diff --git a/debian/patches/942_tridvalue.patch b/debian/patches/942_tridvalue.patch
new file mode 100644
index 0000000..bf8e7f0
--- /dev/null
+++ b/debian/patches/942_tridvalue.patch
@@ -0,0 +1,28 @@
+Subject: Prevent array index out of bounds for tridvalue in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/71
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714
+
+---
+ table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index 84e4bf6..1313533 100644
+--- a/table.c
++++ b/table.c
+@@ -2567,8 +2567,10 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ 	    }
+ 	}
+ #ifdef ID_EXT
+-	if (parsedtag_get_value(tag, ATTR_ID, &p))
++	if (parsedtag_get_value(tag, ATTR_ID, &p)) {
++	    check_row(tbl, tbl->row);
+ 	    tbl->tridvalue[tbl->row] = Strnew_charp(p);
++	}
+ #endif				/* ID_EXT */
+ 	tbl->trattr = align | valign;
+ 	break;
+-- 
+2.10.2
+
diff --git a/debian/patches/943_pushlink.patch b/debian/patches/943_pushlink.patch
new file mode 100644
index 0000000..3b24cb4
--- /dev/null
+++ b/debian/patches/943_pushlink.patch
@@ -0,0 +1,32 @@
+Subject: Prevent negative values for offset and pos in push_link()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/64
+Bug-Debian: https://github.com/tats/w3m/issues/66
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecf57714191b77142da74035b748262cdc80dfb7
+
+---
+ file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index 330ae3a..483180a 100644
+--- a/file.c
++++ b/file.c
+@@ -2307,8 +2307,12 @@ push_link(int cmd, int offset, int pos)
+     struct link_stack *p;
+     p = New(struct link_stack);
+     p->cmd = cmd;
+-    p->offset = offset;
+-    p->pos = pos;
++    p->offset = (short)offset;
++    if (p->offset < 0)
++	p->offset = 0;
++    p->pos = (short)pos;
++    if (p->pos < 0)
++	p->pos = 0;
+     p->next = link_stack;
+     link_stack = p;
+ }
+-- 
+2.10.2
+
diff --git a/debian/patches/944_lineproc0.patch b/debian/patches/944_lineproc0.patch
new file mode 100644
index 0000000..6cee164
--- /dev/null
+++ b/debian/patches/944_lineproc0.patch
@@ -0,0 +1,26 @@
+Subject: Prevent heap-use-after-free in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/65
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=26484fc1381e5ec758db950f2bd17f1496220c92
+
+---
+ file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 483180a..f5ca8d2 100644
+--- a/file.c
++++ b/file.c
+@@ -6585,7 +6585,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 		indent = h_env->envs[h_env->envc].indent;
+ 		if (obuf->bp.pos - i > indent) {
+ 		    Str line;
+-		    append_tags(obuf);
++		    append_tags(obuf);	/* may reallocate the buffer */
++		    bp = obuf->line->ptr + obuf->bp.len;
+ 		    line = Strnew_charp(bp);
+ 		    Strshrink(obuf->line, obuf->line->length - obuf->bp.len);
+ #ifdef FORMAT_NICE
+-- 
+2.10.2
+
diff --git a/debian/patches/945_wtfstrwidth.patch b/debian/patches/945_wtfstrwidth.patch
new file mode 100644
index 0000000..36ee878
--- /dev/null
+++ b/debian/patches/945_wtfstrwidth.patch
@@ -0,0 +1,40 @@
+Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/57
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index b8cfdc7..adee338 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -120,8 +120,9 @@ int
+ wtf_strwidth(wc_uchar *p)
+ {
+     int w = 0;
++    wc_uchar *q = p + strlen(p);
+ 
+-    while (*p) {
++    while (p < q) {
+ 	w += wtf_width(p);
+ 	p += WTF_LEN_MAP[*p];
+     }
+@@ -140,9 +141,10 @@ size_t
+ wtf_len(wc_uchar *p)
+ {
+     wc_uchar *q = p;
++    wc_uchar *strz = p + strlen(p);
+ 
+     q += WTF_LEN_MAP[*q];
+-    while (*q && ! WTF_WIDTH_MAP[*q])
++    while (q < strz && ! WTF_WIDTH_MAP[*q])
+ 	q += WTF_LEN_MAP[*q];
+     return q - p;
+ }
+-- 
+2.10.2
+
diff --git a/debian/patches/946_strnewsize.patch b/debian/patches/946_strnewsize.patch
new file mode 100644
index 0000000..713ec0c
--- /dev/null
+++ b/debian/patches/946_strnewsize.patch
@@ -0,0 +1,25 @@
+Subject: Prevent heap-buffer-overflow in Strnew_size()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/72
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4381dffaa3fdf94c384f3588b5c7dff3ba1cc4ae
+
+---
+ Str.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Str.c b/Str.c
+index 5287c0f..7a094f5 100644
+--- a/Str.c
++++ b/Str.c
+@@ -48,6 +48,8 @@ Str
+ Strnew_size(int n)
+ {
+     Str x = GC_MALLOC(sizeof(struct _Str));
++    if (n < 0)
++	n = 0;
+     x->ptr = GC_MALLOC_ATOMIC(n + 1);
+     x->ptr[0] = '\0';
+     x->area_size = n + 1;
+-- 
+2.10.2
+
diff --git a/debian/patches/947_realcolumn.patch b/debian/patches/947_realcolumn.patch
new file mode 100644
index 0000000..152088e
--- /dev/null
+++ b/debian/patches/947_realcolumn.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for realColumn in calcPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/69
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1978455e2ed01699789e8374d29515b74b867b2b
+
+---
+ etc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc.c b/etc.c
+index 8fe1215..af8a5d3 100644
+--- a/etc.c
++++ b/etc.c
+@@ -498,7 +498,7 @@ calcPosition(char *l, Lineprop *pr, int len, int pos, int bpos, int mode)
+     static char *prevl = NULL;
+     int i, j;
+ 
+-    if (l == NULL || len == 0)
++    if (l == NULL || len == 0 || pos < 0)
+ 	return bpos;
+     if (l == prevl && mode == CP_AUTO) {
+ 	if (pos <= len)
+-- 
+2.10.2
+
diff --git a/debian/patches/948_getmclen.patch b/debian/patches/948_getmclen.patch
new file mode 100644
index 0000000..1504f23
--- /dev/null
+++ b/debian/patches/948_getmclen.patch
@@ -0,0 +1,76 @@
+Subject: Prevent overflow beyond the end of string in caller of get_mclen()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/59
+Bug-Debian: https://github.com/tats/w3m/issues/73
+Bug-Debian: https://github.com/tats/w3m/issues/74
+Bug-Debian: https://github.com/tats/w3m/issues/75
+Bug-Debian: https://github.com/tats/w3m/issues/76
+Bug-Debian: https://github.com/tats/w3m/issues/78
+Bug-Debian: https://github.com/tats/w3m/issues/79
+Bug-Debian: https://github.com/tats/w3m/issues/80
+Bug-Debian: https://github.com/tats/w3m/issues/83
+Bug-Debian: https://github.com/tats/w3m/issues/84
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775
+
+---
+ file.c      |  2 +-
+ libwc/wtf.c | 11 ++++++++---
+ libwc/wtf.h |  3 +--
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/file.c b/file.c
+index f5ca8d2..4fe8239 100644
+--- a/file.c
++++ b/file.c
+@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width)
+ 	if (use_image) {
+ 	    if (n > nw) {
+ 		char *r;
+-		for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) {
++		for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) {
+ 		    if (n + get_mcwidth(r) > nw)
+ 			break;
+ 		}
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index adee338..e80d990 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p)
+     return w;
+ }
+ 
+-/*
+ size_t
+ wtf_len1(wc_uchar *p)
+ {
+-    return (size_t)WTF_LEN_MAP[*p];
++    size_t len, len_max = WTF_LEN_MAP[*p];
++
++    for (len = 0; *(p + len); len++)
++	if (len == len_max)
++	    break;
++    if (len == 0)
++	len = 1;
++    return len;
+ }
+-*/
+ 
+ size_t
+ wtf_len(wc_uchar *p)
+diff --git a/libwc/wtf.h b/libwc/wtf.h
+index ad47973..435526f 100644
+--- a/libwc/wtf.h
++++ b/libwc/wtf.h
+@@ -59,8 +59,7 @@ extern void       wtf_init(wc_ces ces1, wc_ces ces2);
+ #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \
+ 		      : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0))
+ extern int        wtf_strwidth(wc_uchar *p);
+-/* extern size_t  wtf_len1(wc_uchar *p); */
+-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)])
++extern size_t     wtf_len1(wc_uchar *p);
+ extern size_t     wtf_len(wc_uchar *p);
+ /* extern int     wtf_type(wc_uchar *p); */
+ #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)]
+-- 
+2.10.2
+
diff --git a/debian/patches/949_wtftowcs.patch b/debian/patches/949_wtftowcs.patch
new file mode 100644
index 0000000..d53a1f9
--- /dev/null
+++ b/debian/patches/949_wtftowcs.patch
@@ -0,0 +1,36 @@
+Subject: Prevent overflow beyond the end of string for wtf to wcs macros
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/77
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index e80d990..cdc6cbc 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p)
+     ((p)[3] = (((c) >>  7) & 0x7f) | 0x80), \
+     ((p)[4] = ( (c)        & 0x7f) | 0x80)
+ #define wtf_to_wcs16(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x03) << 14) \
+     | ((wc_uint32)((p)[1] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[2] & 0x7f)      )
++    | ((wc_uint32)((p)[2] & 0x7f)      ))
+ #define wtf_to_wcs32(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x0f) << 28) \
+     | ((wc_uint32)((p)[1] & 0x7f) << 21) \
+     | ((wc_uint32)((p)[2] & 0x7f) << 14) \
+     | ((wc_uint32)((p)[3] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[4] & 0x7f)      )
++    | ((wc_uint32)((p)[4] & 0x7f)      ))
+ 
+ void
+ wtf_push(Str os, wc_ccs ccs, wc_uint32 code)
+-- 
+2.10.2
+
diff --git a/debian/patches/950_textarea.patch b/debian/patches/950_textarea.patch
new file mode 100644
index 0000000..1433d75
--- /dev/null
+++ b/debian/patches/950_textarea.patch
@@ -0,0 +1,27 @@
+Subject: Prevent infinite loop in feed_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/85
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7a2675b4a5680d44645e72c4ec1258746a6e1b66
+
+---
+ file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 4fe8239..da16a0a 100644
+--- a/file.c
++++ b/file.c
+@@ -4076,7 +4076,9 @@ feed_textarea(char *str)
+ 	    Strcat_charp(textarea_str[n_textarea], "\r\n");
+ 	    str++;
+ 	}
+-	else if (*str != '\r')
++	else if (*str == '\r')
++	    str++;
++	else
+ 	    Strcat_char(textarea_str[n_textarea], *(str++));
+     }
+ }
+-- 
+2.10.2
+
diff --git a/debian/patches/951_lineproc0.patch b/debian/patches/951_lineproc0.patch
new file mode 100644
index 0000000..6585cca
--- /dev/null
+++ b/debian/patches/951_lineproc0.patch
@@ -0,0 +1,25 @@
+Subject: Prevent heap-use-after-free read in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/81
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=aa2077e06fc11f65ba1773e8f5da83d98057e829
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index da16a0a..6ecb0a6 100644
+--- a/file.c
++++ b/file.c
+@@ -6328,7 +6328,7 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 	    }
+ 	    if (h_env->tagbuf->length == 0)
+ 		continue;
+-	    str = h_env->tagbuf->ptr;
++	    str = Strdup(h_env->tagbuf)->ptr;
+ 	    if (*str == '<') {
+ 		if (str[1] && REALLY_THE_BEGINNING_OF_A_TAG(str))
+ 		    is_tag = TRUE;
+-- 
+2.10.2
+
diff --git a/debian/patches/952_formupdatebuffer.patch b/debian/patches/952_formupdatebuffer.patch
new file mode 100644
index 0000000..c5b7444
--- /dev/null
+++ b/debian/patches/952_formupdatebuffer.patch
@@ -0,0 +1,26 @@
+Subject: Prevent invalid form_update_line() call in formUpdateBuffer()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/82
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 1aaaf19..162439a 100644
+--- a/form.c
++++ b/form.c
+@@ -490,7 +490,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
+ 		spos = a->start.pos;
+ 		epos = a->end.pos;
+ 	    }
+-	    if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
++	    if (a->start.line != a->end.line || spos > epos || epos >= l->len ||
++		spos < 0 || epos < 0 || COLPOS(l, epos) < col)
+ 		break;
+ 	    pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
+ 				   rows > 1,
+-- 
+2.10.2
+
diff --git a/debian/patches/953_formupdateline.patch b/debian/patches/953_formupdateline.patch
new file mode 100644
index 0000000..77ede43
--- /dev/null
+++ b/debian/patches/953_formupdateline.patch
@@ -0,0 +1,26 @@
+Subject: Preserve one byte for end of string character in form_update_line()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68#issuecomment-266214643
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=eb4130a7cd2202de6aeb772b7e4f2a417dbff173
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 162439a..0605513 100644
+--- a/form.c
++++ b/form.c
+@@ -320,7 +320,8 @@ form_update_line(Line *line, char **str, int spos, int epos, int width,
+     pos += width - w;
+ 
+     len = line->len + pos + spos - epos;
+-    buf = New_N(char, len);
++    buf = New_N(char, len + 1);
++    buf[len] = '\0';
+     prop = New_N(Lineprop, len);
+     bcopy((void *)line->lineBuf, (void *)buf, spos * sizeof(char));
+     bcopy((void *)line->propBuf, (void *)prop, spos * sizeof(Lineprop));
+-- 
+2.10.2
+
diff --git a/debian/patches/954_wtfparse1.patch b/debian/patches/954_wtfparse1.patch
new file mode 100644
index 0000000..62b5e91
--- /dev/null
+++ b/debian/patches/954_wtfparse1.patch
@@ -0,0 +1,84 @@
+Subject: Prevent overflow beyond the end of string in wtf_parse1()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=00433f4ac2645ac6236ea1892b4a93f26a039a84
+
+---
+ libwc/wtf.c | 44 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index cdc6cbc..94d95c1 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -397,7 +397,7 @@ wtf_parse1(wc_uchar **p)
+ 	cc.code = *(q++);
+     } else if (*q > 0xa0) {
+ 	cc.ccs = wtf_gr_ccs;
+-	if (WC_CCS_IS_WIDE(cc.ccs)) {
++	if (WC_CCS_IS_WIDE(cc.ccs) && *(q+1)) {
+ 	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+ 	    q += 2;
+ 	} else
+@@ -410,27 +410,47 @@ wtf_parse1(wc_uchar **p)
+ 	case WC_CCS_A_CS942:
+ 	case WC_CCS_A_PCS:
+ 	case WC_CCS_A_UNKNOWN:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = *(q++);
++	    if (*q && *(q+1)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = *(q++);
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_CS94W:
+ 	case WC_CCS_A_CS96W:
+ 	case WC_CCS_A_PCSW:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+-	    q += 2;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = ((wc_uint32)*q << 8) | *(q+1);
++		q += 2;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS16:
+ 	case WC_CCS_A_WCS16W:
+-	    cc.ccs |= (*q & 0x7c) >> 2;
+-	    cc.code = wtf_to_wcs16(q);
+-	    q += 3;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= (*q & 0x7c) >> 2;
++		cc.code = wtf_to_wcs16(q);
++		q += 3;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS32:
+ 	case WC_CCS_A_WCS32W:
+-	    cc.ccs |= (*q & 0x70) >> 4;
+-	    cc.code = wtf_to_wcs32(q);
+-	    q += 5;
++	    if (*q && *(q+1) && *(q+2) && *(q+3) && *(q+4)) {
++		cc.ccs |= (*q & 0x70) >> 4;
++		cc.code = wtf_to_wcs32(q);
++		q += 5;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	default:
+ 	/* case 0: */
+-- 
+2.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d7c9aee..2deaeaf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -69,3 +69,24 @@
 931_parse-url.patch
 932_ucsmap.patch
 933_table-level.patch
+934_menu.patch
+935_shiftanchor.patch
+936_metarefresh.patch
+937_lineproc0.patch
+938_lineproc2body.patch
+939_textarea.patch
+940_tabattr.patch
+941_integeredwidth.patch
+942_tridvalue.patch
+943_pushlink.patch
+944_lineproc0.patch
+945_wtfstrwidth.patch
+946_strnewsize.patch
+947_realcolumn.patch
+948_getmclen.patch
+949_wtftowcs.patch
+950_textarea.patch
+951_lineproc0.patch
+952_formupdatebuffer.patch
+953_formupdateline.patch
+954_wtfparse1.patch