diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-08-17 10:47:19 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-19 05:11:41 +0000 |
commit | bde3a3e9a0b10a9274a837ea09296400cdd513c9 (patch) | |
tree | 77fefdef511b43781043417cf3a04ec556a37cfb | |
parent | Prevent segfault for formUpdateBuffer (diff) | |
download | w3m-bde3a3e9a0b10a9274a837ea09296400cdd513c9.tar.gz w3m-bde3a3e9a0b10a9274a837ea09296400cdd513c9.zip |
Prevent negative array index for selectnumber and textareanumber
Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
Diffstat (limited to '')
-rw-r--r-- | file.c | 8 | ||||
-rw-r--r-- | form.c | 8 |
2 files changed, 10 insertions, 6 deletions
@@ -67,7 +67,7 @@ static int cur_status; #ifdef MENU_SELECT /* menu based <select> */ FormSelectOption *select_option; -static int max_select = MAX_SELECT; +int max_select = MAX_SELECT; static int n_select; static int cur_option_maxwidth; #endif /* MENU_SELECT */ @@ -79,7 +79,7 @@ static int cur_textarea_rows; static int cur_textarea_readonly; static int n_textarea; static int ignore_nl_textarea; -static int max_textarea = MAX_TEXTAREA; +int max_textarea = MAX_TEXTAREA; static int http_response_code; @@ -5986,7 +5986,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit) case HTML_TEXTAREA_INT: if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &n_textarea) - && n_textarea < max_textarea) { + && n_textarea >= 0 && n_textarea < max_textarea) { textarea_str[n_textarea] = Strnew(); } else @@ -6003,7 +6003,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit) #ifdef MENU_SELECT case HTML_SELECT_INT: if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select) - && n_select < max_select) { + && n_select >= 0 && n_select < max_select) { select_option[n_select].first = NULL; select_option[n_select].last = NULL; } @@ -10,8 +10,10 @@ #include "regex.h" extern Str *textarea_str; +extern int max_textarea; #ifdef MENU_SELECT extern FormSelectOption *select_option; +extern int max_select; #include "menu.h" #endif /* MENU_SELECT */ @@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag) parsedtag_get_value(tag, ATTR_SIZE, &item->size); parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength); item->readonly = parsedtag_exists(tag, ATTR_READONLY); - if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)) + if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i) + && i >= 0 && i < max_textarea) item->value = item->init_value = textarea_str[i]; #ifdef MENU_SELECT - if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)) + if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i) + && i >= 0 && i < max_select) item->select_option = select_option[i].first; #endif /* MENU_SELECT */ if (parsedtag_get_value(tag, ATTR_ROWS, &p)) |