Prevent null pointer deref due to bad form id

Bug-Debian: https://github.com/tats/w3m/issues/39 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9db438094e5f0d84842bcbd248f282594ccb3c89
author: Tatsuya Kinoshita <tats@debian.org> 2016-11-14 12:16:45 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2016-11-19 12:26:05 +0000
commit: 874998af095c0e72dc041a2c9836dc3ef5afad87 (patch)
tree: 59dd1333db649e5ff8be50c34628baf4db727d66
parent: Prevent array index out of bounds for symbol (diff)
download: w3m-874998af095c0e72dc041a2c9836dc3ef5afad87.tar.gz
w3m-874998af095c0e72dc041a2c9836dc3ef5afad87.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/file.c b/file.c
index e3f0544..834071d 100644
--- a/file.c
+++ b/file.c
@@ -5805,7 +5805,8 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
 			parsedtag_get_value(tag, ATTR_FID, &form_id);
 			parsedtag_get_value(tag, ATTR_TOP_MARGIN, &top);
 			parsedtag_get_value(tag, ATTR_BOTTOM_MARGIN, &bottom);
-			if (form_id < 0 || form_id > form_max || forms == NULL)
+			if (form_id < 0 || form_id > form_max ||
+			    forms == NULL || forms[form_id] == NULL)
 			    break;	/* outside of <form>..</form> */
 			form = forms[form_id];
 			if (hseq > 0) {
@@ -7011,6 +7012,8 @@ print_internal_information(struct html_feed_environ *henv)
     if (form_max >= 0) {
 	FormList *fp;
 	for (i = 0; i <= form_max; i++) {
+	    if (forms[i] == NULL)
+		continue;
 	    fp = forms[i];
 	    s = Sprintf("<form_int fid=\"%d\" action=\"%s\" method=\"%s\"",
 			i, html_quote(fp->action->ptr),
author	Tatsuya Kinoshita <tats@debian.org>	2016-11-14 12:16:45 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2016-11-19 12:26:05 +0000
commit	874998af095c0e72dc041a2c9836dc3ef5afad87 (patch)
tree	59dd1333db649e5ff8be50c34628baf4db727d66
parent	Prevent array index out of bounds for symbol (diff)
download	w3m-874998af095c0e72dc041a2c9836dc3ef5afad87.tar.gz w3m-874998af095c0e72dc041a2c9836dc3ef5afad87.zip