Prevent segfault due to buffer overflows in addMultirowsForm

Bug-Debian: https://github.com/tats/w3m/issues/21 [CVE-2016-9425] Bug-Debian: https://github.com/tats/w3m/issues/26 [CVE-2016-9428] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4e464819dd360ffd3d58fa2a89216fe413cfcc74
author: Tatsuya Kinoshita <tats@debian.org> 2016-08-29 10:28:41 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2016-11-19 05:16:22 +0000
commit: b8eb0d416c32dbc06dba05af0f367396a40ee03f (patch)
tree: 5b4860c623ab2c61adde8c2ba9faf5e14507ae6b
parent: Prevent segfault with malformed table_alt (diff)
download: w3m-b8eb0d416c32dbc06dba05af0f367396a40ee03f.tar.gz
w3m-b8eb0d416c32dbc06dba05af0f367396a40ee03f.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/anchor.c b/anchor.c
index 39f221d..e006aea 100644
--- a/anchor.c
+++ b/anchor.c
@@ -687,6 +687,8 @@ addMultirowsForm(Buffer *buf, AnchorList *al)
 	    a->hseq = a_form.hseq;
 	    a->y = a_form.y;
 	    a->end.pos = pos + ecol - col;
+	    if (pos < 1 || a->end.pos >= l->size)
+		continue;
 	    l->lineBuf[pos - 1] = '[';
 	    l->lineBuf[a->end.pos] = ']';
 	    for (k = pos; k < a->end.pos; k++)
author	Tatsuya Kinoshita <tats@debian.org>	2016-08-29 10:28:41 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2016-11-19 05:16:22 +0000
commit	b8eb0d416c32dbc06dba05af0f367396a40ee03f (patch)
tree	5b4860c623ab2c61adde8c2ba9faf5e14507ae6b
parent	Prevent segfault with malformed table_alt (diff)
download	w3m-b8eb0d416c32dbc06dba05af0f367396a40ee03f.tar.gz w3m-b8eb0d416c32dbc06dba05af0f367396a40ee03f.zip