aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2017-01-06 14:18:40 +0000
committerTatsuya Kinoshita <tats@debian.org>2017-01-06 14:18:40 +0000
commitd73f74e2cb70297d1373d7fa8921881106dc0b58 (patch)
tree66567ba8a175389f4d72346e5440bae0eb882c76
parentDebian release 0.5.3-19+deb8u1 (diff)
downloadw3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.tar.gz
w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.zip
Fix multiple vulnerabilities (closes: #850432)
- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)
Diffstat (limited to '')
-rw-r--r--debian/patches/934_menu.patch25
-rw-r--r--debian/patches/935_shiftanchor.patch26
-rw-r--r--debian/patches/936_metarefresh.patch28
-rw-r--r--debian/patches/937_lineproc0.patch25
-rw-r--r--debian/patches/938_lineproc2body.patch25
-rw-r--r--debian/patches/939_textarea.patch25
-rw-r--r--debian/patches/940_tabattr.patch25
-rw-r--r--debian/patches/941_integeredwidth.patch34
-rw-r--r--debian/patches/942_tridvalue.patch28
-rw-r--r--debian/patches/943_pushlink.patch32
-rw-r--r--debian/patches/944_lineproc0.patch26
-rw-r--r--debian/patches/945_wtfstrwidth.patch40
-rw-r--r--debian/patches/946_strnewsize.patch25
-rw-r--r--debian/patches/947_realcolumn.patch25
-rw-r--r--debian/patches/948_getmclen.patch76
-rw-r--r--debian/patches/949_wtftowcs.patch36
-rw-r--r--debian/patches/950_textarea.patch27
-rw-r--r--debian/patches/951_lineproc0.patch25
-rw-r--r--debian/patches/952_formupdatebuffer.patch26
-rw-r--r--debian/patches/953_formupdateline.patch26
-rw-r--r--debian/patches/954_wtfparse1.patch84
-rw-r--r--debian/patches/series21
22 files changed, 710 insertions, 0 deletions
diff --git a/debian/patches/934_menu.patch b/debian/patches/934_menu.patch
new file mode 100644
index 0000000..b2421f6
--- /dev/null
+++ b/debian/patches/934_menu.patch
@@ -0,0 +1,25 @@
+Subject: Fix menu buffer-overflow
+From: Kuang-che Wu <kcwu@google.com>
+Bug-Debian: https://github.com/tats/w3m/pull/49
+Origin: https://github.com/tats/w3m/pull/49/commits/7e1c05dd90cf42a308e854881ea3813aed000d2e
+
+---
+ menu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/menu.c b/menu.c
+index 0f66583..6c5fee0 100644
+--- a/menu.c
++++ b/menu.c
+@@ -1692,7 +1692,7 @@ initMenu(void)
+ FILE *mf;
+ MenuList *list;
+
+- w3mMenuList = New_N(MenuList, 3);
++ w3mMenuList = New_N(MenuList, 4);
+ w3mMenuList[0].id = "Main";
+ w3mMenuList[0].menu = &MainMenu;
+ w3mMenuList[0].item = MainMenuItem;
+--
+2.10.2
+
diff --git a/debian/patches/935_shiftanchor.patch b/debian/patches/935_shiftanchor.patch
new file mode 100644
index 0000000..7927290
--- /dev/null
+++ b/debian/patches/935_shiftanchor.patch
@@ -0,0 +1,26 @@
+Subject: Prevent negative array index for marks in shiftAnchorPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/62
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d57c13282afc6b7dca029f992331b7afa0413356
+
+---
+ anchor.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/anchor.c b/anchor.c
+index ecb211d..bed8db2 100644
+--- a/anchor.c
++++ b/anchor.c
+@@ -551,7 +551,8 @@ shiftAnchorPosition(AnchorList *al, HmarkerList *hl, int line, int pos,
+ break;
+ if (a->start.pos > pos) {
+ a->start.pos += shift;
+- if (hl && hl->marks && hl->marks[a->hseq].line == line)
++ if (hl && hl->marks &&
++ a->hseq >= 0 && hl->marks[a->hseq].line == line)
+ hl->marks[a->hseq].pos = a->start.pos;
+ }
+ if (a->end.pos >= pos)
+--
+2.10.2
+
diff --git a/debian/patches/936_metarefresh.patch b/debian/patches/936_metarefresh.patch
new file mode 100644
index 0000000..0014c64
--- /dev/null
+++ b/debian/patches/936_metarefresh.patch
@@ -0,0 +1,28 @@
+Subject: Prevent negative array index in getMetaRefreshParam()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/63
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6c6a2cbced21ceec2fac08fba1ad271a77f9dbc2
+
+---
+ file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index e82eaf1..18b350a 100644
+--- a/file.c
++++ b/file.c
+@@ -4361,8 +4361,9 @@ getMetaRefreshParam(char *q, Str *refresh_uri)
+ r++;
+ s_tmp = Strnew_charp_n(q, r - q);
+
+- if (s_tmp->ptr[s_tmp->length - 1] == '\"' /* " */
+- || s_tmp->ptr[s_tmp->length - 1] == '\'') { /* ' */
++ if (s_tmp->length > 0 &&
++ (s_tmp->ptr[s_tmp->length - 1] == '\"' || /* " */
++ s_tmp->ptr[s_tmp->length - 1] == '\'')) { /* ' */
+ s_tmp->length--;
+ s_tmp->ptr[s_tmp->length] = '\0';
+ }
+--
+2.10.2
+
diff --git a/debian/patches/937_lineproc0.patch b/debian/patches/937_lineproc0.patch
new file mode 100644
index 0000000..34f5b63
--- /dev/null
+++ b/debian/patches/937_lineproc0.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative value of row for pushTable() in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/67
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=0e66622582db13c4ffeba38067e15efd2d68cd75
+
+---
+ file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/file.c b/file.c
+index 18b350a..6850db1 100644
+--- a/file.c
++++ b/file.c
+@@ -6404,6 +6404,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ if (obuf->table_level >= 0) {
+ struct table *tbl0 = tables[obuf->table_level];
+ str = Sprintf("<table_alt tid=%d>", tbl0->ntable)->ptr;
++ if (tbl0->row < 0)
++ continue;
+ pushTable(tbl0, tbl);
+ tbl = tbl0;
+ tbl_mode = &table_mode[obuf->table_level];
+--
+2.10.2
+
diff --git a/debian/patches/938_lineproc2body.patch b/debian/patches/938_lineproc2body.patch
new file mode 100644
index 0000000..67d39d8
--- /dev/null
+++ b/debian/patches/938_lineproc2body.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for marks in HTMLlineproc2body()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/61
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=f34c37f3156d1578a53dccc582c83c88fff76f87
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 6850db1..c5aeb88 100644
+--- a/file.c
++++ b/file.c
+@@ -5699,7 +5699,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ a_href->end.pos = pos;
+ if (a_href->start.line == a_href->end.line &&
+ a_href->start.pos == a_href->end.pos) {
+- if (buf->hmarklist &&
++ if (buf->hmarklist && a_href->hseq >= 0 &&
+ a_href->hseq < buf->hmarklist->nmark)
+ buf->hmarklist->marks[a_href->hseq].invalid = 1;
+ a_href->hseq = -1;
+--
+2.10.2
+
diff --git a/debian/patches/939_textarea.patch b/debian/patches/939_textarea.patch
new file mode 100644
index 0000000..fc6a011
--- /dev/null
+++ b/debian/patches/939_textarea.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index in process_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/58
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d7f55d5959c3e06e9f110f13def7ae9015882e1e
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index c5aeb88..330ae3a 100644
+--- a/file.c
++++ b/file.c
+@@ -3995,7 +3995,7 @@ process_textarea(struct parsed_tag *tag, int width)
+ cur_textarea_size = 20;
+ if (parsedtag_get_value(tag, ATTR_COLS, &p)) {
+ cur_textarea_size = atoi(p);
+- if (p[strlen(p) - 1] == '%')
++ if (strlen(p) > 0 && p[strlen(p) - 1] == '%')
+ cur_textarea_size = width * cur_textarea_size / 100 - 2;
+ if (cur_textarea_size <= 0) {
+ cur_textarea_size = 20;
+--
+2.10.2
+
diff --git a/debian/patches/940_tabattr.patch b/debian/patches/940_tabattr.patch
new file mode 100644
index 0000000..56c85a8
--- /dev/null
+++ b/debian/patches/940_tabattr.patch
@@ -0,0 +1,25 @@
+Subject: Prevent array index out of bounds for tabattr in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/60
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a6ddc331e90698fa57732bd55f2e8407f3f32f7a
+
+---
+ table.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index c57187a..1a37772 100644
+--- a/table.c
++++ b/table.c
+@@ -2593,7 +2593,7 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ }
+ tbl->col++;
+ check_row(tbl, tbl->row);
+- while (tbl->tabattr[tbl->row][tbl->col]) {
++ while (tbl->col < MAXCOL && tbl->tabattr[tbl->row][tbl->col]) {
+ tbl->col++;
+ }
+ if (tbl->col > MAXCOL - 1) {
+--
+2.10.2
+
diff --git a/debian/patches/941_integeredwidth.patch b/debian/patches/941_integeredwidth.patch
new file mode 100644
index 0000000..660c327
--- /dev/null
+++ b/debian/patches/941_integeredwidth.patch
@@ -0,0 +1,34 @@
+Subject: Prevent negative array index in set_integered_width()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/70
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0
+
+---
+ table.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/table.c b/table.c
+index 1a37772..84e4bf6 100644
+--- a/table.c
++++ b/table.c
+@@ -961,7 +961,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+ for (step = 0; step < 2; step++) {
+ for (i = 0; i <= t->maxcol; i += n) {
+ int nn;
+- char *idx;
++ short *idx;
+ double nsum;
+ if (sum < 0.5)
+ return;
+@@ -982,7 +982,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+ (double)rulewidth - mod[ii] > 0.5)
+ fixed[ii] = 1;
+ }
+- idx = NewAtom_N(char, n);
++ idx = NewAtom_N(short, n);
+ for (k = 0; k < cell->maxcell; k++) {
+ int kk, w, width, m;
+ j = cell->index[k];
+--
+2.10.2
+
diff --git a/debian/patches/942_tridvalue.patch b/debian/patches/942_tridvalue.patch
new file mode 100644
index 0000000..bf8e7f0
--- /dev/null
+++ b/debian/patches/942_tridvalue.patch
@@ -0,0 +1,28 @@
+Subject: Prevent array index out of bounds for tridvalue in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/71
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714
+
+---
+ table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index 84e4bf6..1313533 100644
+--- a/table.c
++++ b/table.c
+@@ -2567,8 +2567,10 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ }
+ }
+ #ifdef ID_EXT
+- if (parsedtag_get_value(tag, ATTR_ID, &p))
++ if (parsedtag_get_value(tag, ATTR_ID, &p)) {
++ check_row(tbl, tbl->row);
+ tbl->tridvalue[tbl->row] = Strnew_charp(p);
++ }
+ #endif /* ID_EXT */
+ tbl->trattr = align | valign;
+ break;
+--
+2.10.2
+
diff --git a/debian/patches/943_pushlink.patch b/debian/patches/943_pushlink.patch
new file mode 100644
index 0000000..3b24cb4
--- /dev/null
+++ b/debian/patches/943_pushlink.patch
@@ -0,0 +1,32 @@
+Subject: Prevent negative values for offset and pos in push_link()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/64
+Bug-Debian: https://github.com/tats/w3m/issues/66
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecf57714191b77142da74035b748262cdc80dfb7
+
+---
+ file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index 330ae3a..483180a 100644
+--- a/file.c
++++ b/file.c
+@@ -2307,8 +2307,12 @@ push_link(int cmd, int offset, int pos)
+ struct link_stack *p;
+ p = New(struct link_stack);
+ p->cmd = cmd;
+- p->offset = offset;
+- p->pos = pos;
++ p->offset = (short)offset;
++ if (p->offset < 0)
++ p->offset = 0;
++ p->pos = (short)pos;
++ if (p->pos < 0)
++ p->pos = 0;
+ p->next = link_stack;
+ link_stack = p;
+ }
+--
+2.10.2
+
diff --git a/debian/patches/944_lineproc0.patch b/debian/patches/944_lineproc0.patch
new file mode 100644
index 0000000..6cee164
--- /dev/null
+++ b/debian/patches/944_lineproc0.patch
@@ -0,0 +1,26 @@
+Subject: Prevent heap-use-after-free in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/65
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=26484fc1381e5ec758db950f2bd17f1496220c92
+
+---
+ file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 483180a..f5ca8d2 100644
+--- a/file.c
++++ b/file.c
+@@ -6585,7 +6585,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ indent = h_env->envs[h_env->envc].indent;
+ if (obuf->bp.pos - i > indent) {
+ Str line;
+- append_tags(obuf);
++ append_tags(obuf); /* may reallocate the buffer */
++ bp = obuf->line->ptr + obuf->bp.len;
+ line = Strnew_charp(bp);
+ Strshrink(obuf->line, obuf->line->length - obuf->bp.len);
+ #ifdef FORMAT_NICE
+--
+2.10.2
+
diff --git a/debian/patches/945_wtfstrwidth.patch b/debian/patches/945_wtfstrwidth.patch
new file mode 100644
index 0000000..36ee878
--- /dev/null
+++ b/debian/patches/945_wtfstrwidth.patch
@@ -0,0 +1,40 @@
+Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/57
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index b8cfdc7..adee338 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -120,8 +120,9 @@ int
+ wtf_strwidth(wc_uchar *p)
+ {
+ int w = 0;
++ wc_uchar *q = p + strlen(p);
+
+- while (*p) {
++ while (p < q) {
+ w += wtf_width(p);
+ p += WTF_LEN_MAP[*p];
+ }
+@@ -140,9 +141,10 @@ size_t
+ wtf_len(wc_uchar *p)
+ {
+ wc_uchar *q = p;
++ wc_uchar *strz = p + strlen(p);
+
+ q += WTF_LEN_MAP[*q];
+- while (*q && ! WTF_WIDTH_MAP[*q])
++ while (q < strz && ! WTF_WIDTH_MAP[*q])
+ q += WTF_LEN_MAP[*q];
+ return q - p;
+ }
+--
+2.10.2
+
diff --git a/debian/patches/946_strnewsize.patch b/debian/patches/946_strnewsize.patch
new file mode 100644
index 0000000..713ec0c
--- /dev/null
+++ b/debian/patches/946_strnewsize.patch
@@ -0,0 +1,25 @@
+Subject: Prevent heap-buffer-overflow in Strnew_size()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/72
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4381dffaa3fdf94c384f3588b5c7dff3ba1cc4ae
+
+---
+ Str.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Str.c b/Str.c
+index 5287c0f..7a094f5 100644
+--- a/Str.c
++++ b/Str.c
+@@ -48,6 +48,8 @@ Str
+ Strnew_size(int n)
+ {
+ Str x = GC_MALLOC(sizeof(struct _Str));
++ if (n < 0)
++ n = 0;
+ x->ptr = GC_MALLOC_ATOMIC(n + 1);
+ x->ptr[0] = '\0';
+ x->area_size = n + 1;
+--
+2.10.2
+
diff --git a/debian/patches/947_realcolumn.patch b/debian/patches/947_realcolumn.patch
new file mode 100644
index 0000000..152088e
--- /dev/null
+++ b/debian/patches/947_realcolumn.patch
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for realColumn in calcPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/69
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1978455e2ed01699789e8374d29515b74b867b2b
+
+---
+ etc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc.c b/etc.c
+index 8fe1215..af8a5d3 100644
+--- a/etc.c
++++ b/etc.c
+@@ -498,7 +498,7 @@ calcPosition(char *l, Lineprop *pr, int len, int pos, int bpos, int mode)
+ static char *prevl = NULL;
+ int i, j;
+
+- if (l == NULL || len == 0)
++ if (l == NULL || len == 0 || pos < 0)
+ return bpos;
+ if (l == prevl && mode == CP_AUTO) {
+ if (pos <= len)
+--
+2.10.2
+
diff --git a/debian/patches/948_getmclen.patch b/debian/patches/948_getmclen.patch
new file mode 100644
index 0000000..1504f23
--- /dev/null
+++ b/debian/patches/948_getmclen.patch
@@ -0,0 +1,76 @@
+Subject: Prevent overflow beyond the end of string in caller of get_mclen()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/59
+Bug-Debian: https://github.com/tats/w3m/issues/73
+Bug-Debian: https://github.com/tats/w3m/issues/74
+Bug-Debian: https://github.com/tats/w3m/issues/75
+Bug-Debian: https://github.com/tats/w3m/issues/76
+Bug-Debian: https://github.com/tats/w3m/issues/78
+Bug-Debian: https://github.com/tats/w3m/issues/79
+Bug-Debian: https://github.com/tats/w3m/issues/80
+Bug-Debian: https://github.com/tats/w3m/issues/83
+Bug-Debian: https://github.com/tats/w3m/issues/84
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775
+
+---
+ file.c | 2 +-
+ libwc/wtf.c | 11 ++++++++---
+ libwc/wtf.h | 3 +--
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/file.c b/file.c
+index f5ca8d2..4fe8239 100644
+--- a/file.c
++++ b/file.c
+@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width)
+ if (use_image) {
+ if (n > nw) {
+ char *r;
+- for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) {
++ for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) {
+ if (n + get_mcwidth(r) > nw)
+ break;
+ }
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index adee338..e80d990 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p)
+ return w;
+ }
+
+-/*
+ size_t
+ wtf_len1(wc_uchar *p)
+ {
+- return (size_t)WTF_LEN_MAP[*p];
++ size_t len, len_max = WTF_LEN_MAP[*p];
++
++ for (len = 0; *(p + len); len++)
++ if (len == len_max)
++ break;
++ if (len == 0)
++ len = 1;
++ return len;
+ }
+-*/
+
+ size_t
+ wtf_len(wc_uchar *p)
+diff --git a/libwc/wtf.h b/libwc/wtf.h
+index ad47973..435526f 100644
+--- a/libwc/wtf.h
++++ b/libwc/wtf.h
+@@ -59,8 +59,7 @@ extern void wtf_init(wc_ces ces1, wc_ces ces2);
+ #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \
+ : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0))
+ extern int wtf_strwidth(wc_uchar *p);
+-/* extern size_t wtf_len1(wc_uchar *p); */
+-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)])
++extern size_t wtf_len1(wc_uchar *p);
+ extern size_t wtf_len(wc_uchar *p);
+ /* extern int wtf_type(wc_uchar *p); */
+ #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)]
+--
+2.10.2
+
diff --git a/debian/patches/949_wtftowcs.patch b/debian/patches/949_wtftowcs.patch
new file mode 100644
index 0000000..d53a1f9
--- /dev/null
+++ b/debian/patches/949_wtftowcs.patch
@@ -0,0 +1,36 @@
+Subject: Prevent overflow beyond the end of string for wtf to wcs macros
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/77
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index e80d990..cdc6cbc 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p)
+ ((p)[3] = (((c) >> 7) & 0x7f) | 0x80), \
+ ((p)[4] = ( (c) & 0x7f) | 0x80)
+ #define wtf_to_wcs16(p) \
++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \
+ ((wc_uint32)((p)[0] & 0x03) << 14) \
+ | ((wc_uint32)((p)[1] & 0x7f) << 7) \
+- | ((wc_uint32)((p)[2] & 0x7f) )
++ | ((wc_uint32)((p)[2] & 0x7f) ))
+ #define wtf_to_wcs32(p) \
++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \
+ ((wc_uint32)((p)[0] & 0x0f) << 28) \
+ | ((wc_uint32)((p)[1] & 0x7f) << 21) \
+ | ((wc_uint32)((p)[2] & 0x7f) << 14) \
+ | ((wc_uint32)((p)[3] & 0x7f) << 7) \
+- | ((wc_uint32)((p)[4] & 0x7f) )
++ | ((wc_uint32)((p)[4] & 0x7f) ))
+
+ void
+ wtf_push(Str os, wc_ccs ccs, wc_uint32 code)
+--
+2.10.2
+
diff --git a/debian/patches/950_textarea.patch b/debian/patches/950_textarea.patch
new file mode 100644
index 0000000..1433d75
--- /dev/null
+++ b/debian/patches/950_textarea.patch
@@ -0,0 +1,27 @@
+Subject: Prevent infinite loop in feed_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/85
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7a2675b4a5680d44645e72c4ec1258746a6e1b66
+
+---
+ file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 4fe8239..da16a0a 100644
+--- a/file.c
++++ b/file.c
+@@ -4076,7 +4076,9 @@ feed_textarea(char *str)
+ Strcat_charp(textarea_str[n_textarea], "\r\n");
+ str++;
+ }
+- else if (*str != '\r')
++ else if (*str == '\r')
++ str++;
++ else
+ Strcat_char(textarea_str[n_textarea], *(str++));
+ }
+ }
+--
+2.10.2
+
diff --git a/debian/patches/951_lineproc0.patch b/debian/patches/951_lineproc0.patch
new file mode 100644
index 0000000..6585cca
--- /dev/null
+++ b/debian/patches/951_lineproc0.patch
@@ -0,0 +1,25 @@
+Subject: Prevent heap-use-after-free read in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/81
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=aa2077e06fc11f65ba1773e8f5da83d98057e829
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index da16a0a..6ecb0a6 100644
+--- a/file.c
++++ b/file.c
+@@ -6328,7 +6328,7 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ }
+ if (h_env->tagbuf->length == 0)
+ continue;
+- str = h_env->tagbuf->ptr;
++ str = Strdup(h_env->tagbuf)->ptr;
+ if (*str == '<') {
+ if (str[1] && REALLY_THE_BEGINNING_OF_A_TAG(str))
+ is_tag = TRUE;
+--
+2.10.2
+
diff --git a/debian/patches/952_formupdatebuffer.patch b/debian/patches/952_formupdatebuffer.patch
new file mode 100644
index 0000000..c5b7444
--- /dev/null
+++ b/debian/patches/952_formupdatebuffer.patch
@@ -0,0 +1,26 @@
+Subject: Prevent invalid form_update_line() call in formUpdateBuffer()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/82
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 1aaaf19..162439a 100644
+--- a/form.c
++++ b/form.c
+@@ -490,7 +490,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
+ spos = a->start.pos;
+ epos = a->end.pos;
+ }
+- if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
++ if (a->start.line != a->end.line || spos > epos || epos >= l->len ||
++ spos < 0 || epos < 0 || COLPOS(l, epos) < col)
+ break;
+ pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
+ rows > 1,
+--
+2.10.2
+
diff --git a/debian/patches/953_formupdateline.patch b/debian/patches/953_formupdateline.patch
new file mode 100644
index 0000000..77ede43
--- /dev/null
+++ b/debian/patches/953_formupdateline.patch
@@ -0,0 +1,26 @@
+Subject: Preserve one byte for end of string character in form_update_line()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68#issuecomment-266214643
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=eb4130a7cd2202de6aeb772b7e4f2a417dbff173
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 162439a..0605513 100644
+--- a/form.c
++++ b/form.c
+@@ -320,7 +320,8 @@ form_update_line(Line *line, char **str, int spos, int epos, int width,
+ pos += width - w;
+
+ len = line->len + pos + spos - epos;
+- buf = New_N(char, len);
++ buf = New_N(char, len + 1);
++ buf[len] = '\0';
+ prop = New_N(Lineprop, len);
+ bcopy((void *)line->lineBuf, (void *)buf, spos * sizeof(char));
+ bcopy((void *)line->propBuf, (void *)prop, spos * sizeof(Lineprop));
+--
+2.10.2
+
diff --git a/debian/patches/954_wtfparse1.patch b/debian/patches/954_wtfparse1.patch
new file mode 100644
index 0000000..62b5e91
--- /dev/null
+++ b/debian/patches/954_wtfparse1.patch
@@ -0,0 +1,84 @@
+Subject: Prevent overflow beyond the end of string in wtf_parse1()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=00433f4ac2645ac6236ea1892b4a93f26a039a84
+
+---
+ libwc/wtf.c | 44 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index cdc6cbc..94d95c1 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -397,7 +397,7 @@ wtf_parse1(wc_uchar **p)
+ cc.code = *(q++);
+ } else if (*q > 0xa0) {
+ cc.ccs = wtf_gr_ccs;
+- if (WC_CCS_IS_WIDE(cc.ccs)) {
++ if (WC_CCS_IS_WIDE(cc.ccs) && *(q+1)) {
+ cc.code = ((wc_uint32)*q << 8) | *(q+1);
+ q += 2;
+ } else
+@@ -410,27 +410,47 @@ wtf_parse1(wc_uchar **p)
+ case WC_CCS_A_CS942:
+ case WC_CCS_A_PCS:
+ case WC_CCS_A_UNKNOWN:
+- cc.ccs |= *(q++) & 0x7f;
+- cc.code = *(q++);
++ if (*q && *(q+1)) {
++ cc.ccs |= *(q++) & 0x7f;
++ cc.code = *(q++);
++ } else {
++ cc.ccs = WC_CCS_US_ASCII;
++ cc.code = (wc_uint32)' ';
++ }
+ break;
+ case WC_CCS_A_CS94W:
+ case WC_CCS_A_CS96W:
+ case WC_CCS_A_PCSW:
+- cc.ccs |= *(q++) & 0x7f;
+- cc.code = ((wc_uint32)*q << 8) | *(q+1);
+- q += 2;
++ if (*q && *(q+1) && *(q+2)) {
++ cc.ccs |= *(q++) & 0x7f;
++ cc.code = ((wc_uint32)*q << 8) | *(q+1);
++ q += 2;
++ } else {
++ cc.ccs = WC_CCS_US_ASCII;
++ cc.code = (wc_uint32)' ';
++ }
+ break;
+ case WC_CCS_A_WCS16:
+ case WC_CCS_A_WCS16W:
+- cc.ccs |= (*q & 0x7c) >> 2;
+- cc.code = wtf_to_wcs16(q);
+- q += 3;
++ if (*q && *(q+1) && *(q+2)) {
++ cc.ccs |= (*q & 0x7c) >> 2;
++ cc.code = wtf_to_wcs16(q);
++ q += 3;
++ } else {
++ cc.ccs = WC_CCS_US_ASCII;
++ cc.code = (wc_uint32)' ';
++ }
+ break;
+ case WC_CCS_A_WCS32:
+ case WC_CCS_A_WCS32W:
+- cc.ccs |= (*q & 0x70) >> 4;
+- cc.code = wtf_to_wcs32(q);
+- q += 5;
++ if (*q && *(q+1) && *(q+2) && *(q+3) && *(q+4)) {
++ cc.ccs |= (*q & 0x70) >> 4;
++ cc.code = wtf_to_wcs32(q);
++ q += 5;
++ } else {
++ cc.ccs = WC_CCS_US_ASCII;
++ cc.code = (wc_uint32)' ';
++ }
+ break;
+ default:
+ /* case 0: */
+--
+2.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
index d7c9aee..2deaeaf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -69,3 +69,24 @@
931_parse-url.patch
932_ucsmap.patch
933_table-level.patch
+934_menu.patch
+935_shiftanchor.patch
+936_metarefresh.patch
+937_lineproc0.patch
+938_lineproc2body.patch
+939_textarea.patch
+940_tabattr.patch
+941_integeredwidth.patch
+942_tridvalue.patch
+943_pushlink.patch
+944_lineproc0.patch
+945_wtfstrwidth.patch
+946_strnewsize.patch
+947_realcolumn.patch
+948_getmclen.patch
+949_wtftowcs.patch
+950_textarea.patch
+951_lineproc0.patch
+952_formupdatebuffer.patch
+953_formupdateline.patch
+954_wtfparse1.patch