diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:25:20 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:25:20 +0000 |
commit | d65e12bdf571d1ea3333c30514d737e6563ebc61 (patch) | |
tree | 0f441c7271b9c1ff251b2c0e6f1de4ff807c5a43 | |
parent | New patch 912_i-dd.patch to fix uninit values (diff) | |
download | w3m-d65e12bdf571d1ea3333c30514d737e6563ebc61.tar.gz w3m-d65e12bdf571d1ea3333c30514d737e6563ebc61.zip |
New patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426]
-rw-r--r-- | debian/patches/913_tabwidth.patch | 20 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 21 insertions, 0 deletions
diff --git a/debian/patches/913_tabwidth.patch b/debian/patches/913_tabwidth.patch new file mode 100644 index 0000000..450df24 --- /dev/null +++ b/debian/patches/913_tabwidth.patch @@ -0,0 +1,20 @@ +Subject: Truncate max_width for renderTable +Author: Tatsuya Kinoshita <tats@debian.org> +Bug-Debian: https://github.com/tats/w3m/issues/25 [CVE-2016-9426] +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=b910f0966d9efea93ea8cef491000a83ffb49c5e + +diff --git a/table.c b/table.c +index deeab0a..a54ea01 100644 +--- a/table.c ++++ b/table.c +@@ -1724,6 +1724,10 @@ renderTable(struct table *t, int max_width, struct html_feed_environ *h_env) + if (max_width < rulewidth) + max_width = rulewidth; + ++#define MAX_TABWIDTH 10000 ++ if (max_width > MAX_TABWIDTH) ++ max_width = MAX_TABWIDTH; ++ + check_maximum_width(t); + + #ifdef MATRIX diff --git a/debian/patches/series b/debian/patches/series index 6654637..9404dea 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -48,3 +48,4 @@ 910_input-alt.patch 911_rowcolspan.patch 912_i-dd.patch +913_tabwidth.patch |