aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-08-17 12:30:50 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-19 05:11:41 +0000
commit2d549cde75bd984e09348432f813793459fc2bd3 (patch)
tree03fd8aa6cf32611ea9d40950b26c8e9276a0aa14
parentPrevent segfault for formUpdateBuffer (diff)
downloadw3m-2d549cde75bd984e09348432f813793459fc2bd3.tar.gz
w3m-2d549cde75bd984e09348432f813793459fc2bd3.zip
Prevent segfault when iso2022 parsing
Bug-Debian: https://github.com/tats/w3m/issues/14 [CVE-2016-9433] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9cf6926c5d947371dc9e44f32bc7a2fbfca5d469
Diffstat (limited to '')
-rw-r--r--libwc/iso2022.c21
1 files changed, 14 insertions, 7 deletions
diff --git a/libwc/iso2022.c b/libwc/iso2022.c
index 33d9a19..59f35de 100644
--- a/libwc/iso2022.c
+++ b/libwc/iso2022.c
@@ -405,7 +405,8 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st)
case WC_CCS_A_CS94:
if (cc.ccs == WC_CCS_US_ASCII)
cc.ccs = st->g0_ccs;
- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
break;
case WC_CCS_A_CS94W:
is_wide = 1;
@@ -435,31 +436,37 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st)
break;
#endif
}
- g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
break;
case WC_CCS_A_CS96:
- g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
break;
case WC_CCS_A_CS96W:
is_wide = 1;
- g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
break;
case WC_CCS_A_CS942:
- g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
break;
case WC_CCS_A_UNKNOWN_W:
if (WcOption.no_replace)
return;
is_wide = 1;
cc.ccs = WC_CCS_US_ASCII;
- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
cc.code = ((wc_uint32)WC_REPLACE_W[0] << 8) | WC_REPLACE_W[1];
break;
case WC_CCS_A_UNKNOWN:
if (WcOption.no_replace)
return;
cc.ccs = WC_CCS_US_ASCII;
- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
+ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
cc.code = (wc_uint32)WC_REPLACE[0];
break;
default: