aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:25:20 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:25:20 +0000
commitd65e12bdf571d1ea3333c30514d737e6563ebc61 (patch)
tree0f441c7271b9c1ff251b2c0e6f1de4ff807c5a43
parentNew patch 912_i-dd.patch to fix uninit values (diff)
downloadw3m-d65e12bdf571d1ea3333c30514d737e6563ebc61.tar.gz
w3m-d65e12bdf571d1ea3333c30514d737e6563ebc61.zip
New patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426]
Diffstat (limited to '')
-rw-r--r--debian/patches/913_tabwidth.patch20
-rw-r--r--debian/patches/series1
2 files changed, 21 insertions, 0 deletions
diff --git a/debian/patches/913_tabwidth.patch b/debian/patches/913_tabwidth.patch
new file mode 100644
index 0000000..450df24
--- /dev/null
+++ b/debian/patches/913_tabwidth.patch
@@ -0,0 +1,20 @@
+Subject: Truncate max_width for renderTable
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/25 [CVE-2016-9426]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=b910f0966d9efea93ea8cef491000a83ffb49c5e
+
+diff --git a/table.c b/table.c
+index deeab0a..a54ea01 100644
+--- a/table.c
++++ b/table.c
+@@ -1724,6 +1724,10 @@ renderTable(struct table *t, int max_width, struct html_feed_environ *h_env)
+ if (max_width < rulewidth)
+ max_width = rulewidth;
+
++#define MAX_TABWIDTH 10000
++ if (max_width > MAX_TABWIDTH)
++ max_width = MAX_TABWIDTH;
++
+ check_maximum_width(t);
+
+ #ifdef MATRIX
diff --git a/debian/patches/series b/debian/patches/series
index 6654637..9404dea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -48,3 +48,4 @@
910_input-alt.patch
911_rowcolspan.patch
912_i-dd.patch
+913_tabwidth.patch