aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:34:04 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:34:04 +0000
commite1dd92b37f5d8d772a60b0db0a8fed6667d7d581 (patch)
tree2dffe1d29bc15d494fc81cf08ea770091e5b07a2
parentNew patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426] (diff)
downloadw3m-e1dd92b37f5d8d772a60b0db0a8fed6667d7d581.tar.gz
w3m-e1dd92b37f5d8d772a60b0db0a8fed6667d7d581.zip
New patch 914_curline.patch to fix near-null deref [CVE-2016-9440]
-rw-r--r--debian/patches/914_curline.patch18
-rw-r--r--debian/patches/series1
2 files changed, 19 insertions, 0 deletions
diff --git a/debian/patches/914_curline.patch b/debian/patches/914_curline.patch
new file mode 100644
index 0000000..c977b87
--- /dev/null
+++ b/debian/patches/914_curline.patch
@@ -0,0 +1,18 @@
+Subject: Prevent segfault for formUpdateBuffer
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/22 [CVE-2016-9440]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4a8d16fc8d08206dd7142435054ee38ff41805b7
+
+diff --git a/form.c b/form.c
+index 779ba2f..20b7310 100644
+--- a/form.c
++++ b/form.c
+@@ -461,6 +461,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
+ #endif /* MENU_SELECT */
+ p = form->value->ptr;
+ l = buf->currentLine;
++ if (!l)
++ break;
+ if (form->type == FORM_TEXTAREA) {
+ int n = a->y - buf->currentLine->linenumber;
+ if (n > 0)
diff --git a/debian/patches/series b/debian/patches/series
index 9404dea..8e9b809 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -49,3 +49,4 @@
911_rowcolspan.patch
912_i-dd.patch
913_tabwidth.patch
+914_curline.patch