Prevent segfault with malformed input type

Bug-Debian: https://github.com/tats/w3m/issues/7 [CVE-2016-9430]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=59b91cd8e30c86f23476fa81ae005cabff49ebb6

1 files changed, 6 insertions, 4 deletions

diff --git a/file.c b/file.c
index 1e363d0..d06b2cf 100644
--- a/file.c
+++ b/file.c
@@ -3622,9 +3622,10 @@ process_input(struct parsed_tag *tag)
 	    Strcat(tmp, getLinkNumberStr(0));
 	Strcat_char(tmp, '(');
     }
-    Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=%s "
+    Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=\"%s\" "
 			"name=\"%s\" width=%d maxlength=%d value=\"%s\"",
-			cur_hseq++, cur_form_id, p, html_quote(r), w, i, qq));
+			cur_hseq++, cur_form_id, html_quote(p),
+			html_quote(r), w, i, qq));
     if (x)
 	Strcat_charp(tmp, " checked");
     if (y)
@@ -3772,9 +3773,10 @@ process_button(struct parsed_tag *tag)
     }
 
     //    Strcat_charp(tmp, "<pre_int>");
-    Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=%s "
+    Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=\"%s\" "
                        "name=\"%s\" value=\"%s\">",
-                       cur_hseq++, cur_form_id, p, html_quote(r), qq));
+                       cur_hseq++, cur_form_id, html_quote(p),
+                       html_quote(r), qq));
     return tmp;
 }