Prevent negative indent value in feed_table_block_tag()

Bug-Debian: https://github.com/tats/w3m/issues/88 [CVE-2018-6196]
author: Tatsuya Kinoshita <tats@debian.org> 2018-01-25 16:03:19 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2020-05-01 11:27:05 +0000
commit: 67acbc423185feb770add20116a22b3f8d1f42e7 (patch)
tree: ef6c05b4a90653361051bf28bff0710f35aff1f7
parent: Prevent overflow beyond the end of string in wtf_parse1() (diff)
download: w3m-67acbc423185feb770add20116a22b3f8d1f42e7.tar.gz
w3m-67acbc423185feb770add20116a22b3f8d1f42e7.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/table.c b/table.c
index 1313533..0b6e65f 100644
--- a/table.c
+++ b/table.c
@@ -2357,10 +2357,14 @@ feed_table_block_tag(struct table *tbl,
 	if (mode->indent_level < MAX_INDENT_LEVEL)
 	    tbl->indent -= INDENT_INCR;
     }
+    if (tbl->indent < 0)
+	tbl->indent = 0;
     offset = tbl->indent;
     if (cmd == HTML_DT) {
 	if (mode->indent_level > 0 && mode->indent_level <= MAX_INDENT_LEVEL)
 	    offset -= INDENT_INCR;
+	if (offset < 0)
+	    offset = 0;
     }
     if (tbl->indent > 0) {
 	check_minimum0(tbl, 0);
author	Tatsuya Kinoshita <tats@debian.org>	2018-01-25 16:03:19 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2020-05-01 11:27:05 +0000
commit	67acbc423185feb770add20116a22b3f8d1f42e7 (patch)
tree	ef6c05b4a90653361051bf28bff0710f35aff1f7
parent	Prevent overflow beyond the end of string in wtf_parse1() (diff)
download	w3m-67acbc423185feb770add20116a22b3f8d1f42e7.tar.gz w3m-67acbc423185feb770add20116a22b3f8d1f42e7.zip