New patch 906_form-update.patch to fix bcopy size [CVE-2016-9432]

2 files changed, 22 insertions, 0 deletions

diff --git a/debian/patches/906_form-update.patch b/debian/patches/906_form-update.patch
new file mode 100644
index 0000000..5f4c642
--- /dev/null
+++ b/debian/patches/906_form-update.patch
@@ -0,0 +1,21 @@
+Subject: Prevent segfault for formUpdateBuffer
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/13 [CVE-2016-9432]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=807e8b7fbffca6dcaf5db40e35f05d05c5cf02d3
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7b88478227978a8d673b4dd0e05eee410cc33330
+
+diff --git a/form.c b/form.c
+index da115fa..779ba2f 100644
+--- a/form.c
++++ b/form.c
+@@ -481,8 +481,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
+ 		spos = a->start.pos;
+ 		epos = a->end.pos;
+ 	    }
+-	    if (a->start.line != a->end.line || spos > epos)
+-		epos = spos;
++	    if (a->start.line != a->end.line || spos > epos || epos >= l->len)
++		break;
+ 	    pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
+ 				   rows > 1,
+ 				   form->type == FORM_INPUT_PASSWORD);
diff --git a/debian/patches/series b/debian/patches/series
index bb300fe..799a10b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,4 @@
 903_input-type.patch
 904_form-update.patch
 905_textarea.patch
+906_form-update.patch