diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2016-08-17 12:30:50 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-19 05:11:41 +0000 |
| commit | 2d549cde75bd984e09348432f813793459fc2bd3 (patch) | |
| tree | 03fd8aa6cf32611ea9d40950b26c8e9276a0aa14 | |
| parent | Prevent segfault for formUpdateBuffer (diff) | |
| download | w3m-2d549cde75bd984e09348432f813793459fc2bd3.tar.gz w3m-2d549cde75bd984e09348432f813793459fc2bd3.zip | |
Prevent segfault when iso2022 parsing
Bug-Debian: https://github.com/tats/w3m/issues/14 [CVE-2016-9433]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9cf6926c5d947371dc9e44f32bc7a2fbfca5d469
| -rw-r--r-- | libwc/iso2022.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/libwc/iso2022.c b/libwc/iso2022.c index 33d9a19..59f35de 100644 --- a/libwc/iso2022.c +++ b/libwc/iso2022.c @@ -405,7 +405,8 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st) case WC_CCS_A_CS94: if (cc.ccs == WC_CCS_US_ASCII) cc.ccs = st->g0_ccs; - g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; break; case WC_CCS_A_CS94W: is_wide = 1; @@ -435,31 +436,37 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st) break; #endif } - g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; break; case WC_CCS_A_CS96: - g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; break; case WC_CCS_A_CS96W: is_wide = 1; - g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; break; case WC_CCS_A_CS942: - g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; break; case WC_CCS_A_UNKNOWN_W: if (WcOption.no_replace) return; is_wide = 1; cc.ccs = WC_CCS_US_ASCII; - g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; cc.code = ((wc_uint32)WC_REPLACE_W[0] << 8) | WC_REPLACE_W[1]; break; case WC_CCS_A_UNKNOWN: if (WcOption.no_replace) return; cc.ccs = WC_CCS_US_ASCII; - g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; + if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE) + g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE]; cc.code = (wc_uint32)WC_REPLACE[0]; break; default: |