New patch 915_table-alt.patch to fix near-null deref [CVE-2016-9441]

2 files changed, 19 insertions, 0 deletions

diff --git a/debian/patches/915_table-alt.patch b/debian/patches/915_table-alt.patch
new file mode 100644
index 0000000..3d1eee2
--- /dev/null
+++ b/debian/patches/915_table-alt.patch
@@ -0,0 +1,18 @@
+Subject: Prevent segfault with malformed table_alt
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/24 [CVE-2016-9441]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a6257663824c63abb3c62c4dd62455fe6f63d958
+
+diff --git a/table.c b/table.c
+index a54ea01..022effe 100644
+--- a/table.c
++++ b/table.c
+@@ -761,7 +761,7 @@ do_refill(struct table *tbl, int row, int col, int maxlimit)
+ 	    struct parsed_tag *tag;
+ 	    if ((tag = parse_tag(&p, TRUE)) != NULL)
+ 		parsedtag_get_value(tag, ATTR_TID, &id);
+-	    if (id >= 0 && id < tbl->ntable) {
++	    if (id >= 0 && id < tbl->ntable && tbl->tables[id].ptr) {
+ 		int alignment;
+ 		TextLineListItem *ti;
+ 		struct table *t = tbl->tables[id].ptr;
diff --git a/debian/patches/series b/debian/patches/series
index 8e9b809..fb9b5b7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -50,3 +50,4 @@
 912_i-dd.patch
 913_tabwidth.patch
 914_curline.patch
+915_table-alt.patch