Prevent invalid form_update_line() call in formUpdateBuffer()

Bug-Debian: https://github.com/tats/w3m/issues/82 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf
author: Tatsuya Kinoshita <tats@debian.org> 2016-12-24 03:58:44 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2017-01-06 14:20:32 +0000
commit: 4573b9d936175294c0ea93106bbfe5888f974792 (patch)
tree: 395c11000b282e9258dfc21a3215fdc16a17c60f
parent: Prevent heap-use-after-free read in HTMLlineproc0() (diff)
download: w3m-4573b9d936175294c0ea93106bbfe5888f974792.tar.gz
w3m-4573b9d936175294c0ea93106bbfe5888f974792.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/form.c b/form.c
index 1aaaf19d..162439a 100644
--- a/form.c
+++ b/form.c
@@ -490,7 +490,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
 		spos = a->start.pos;
 		epos = a->end.pos;
 	    }
-	    if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
+	    if (a->start.line != a->end.line || spos > epos || epos >= l->len ||
+		spos < 0 || epos < 0 || COLPOS(l, epos) < col)
 		break;
 	    pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
 				   rows > 1,
author	Tatsuya Kinoshita <tats@debian.org>	2016-12-24 03:58:44 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2017-01-06 14:20:32 +0000
commit	4573b9d936175294c0ea93106bbfe5888f974792 (patch)
tree	395c11000b282e9258dfc21a3215fdc16a17c60f
parent	Prevent heap-use-after-free read in HTMLlineproc0() (diff)
download	w3m-4573b9d936175294c0ea93106bbfe5888f974792.tar.gz w3m-4573b9d936175294c0ea93106bbfe5888f974792.zip