Prevent heap-use-after-free in HTMLlineproc0()

Bug-Debian: https://github.com/tats/w3m/issues/65 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=26484fc1381e5ec758db950f2bd17f1496220c92
author: Tatsuya Kinoshita <tats@debian.org> 2016-12-07 13:09:06 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2017-01-06 13:09:18 +0000
commit: da22157aa6c64931e0965507e706b5a1592a9c4c (patch)
tree: 658d42f377003c2fbbf66e1304471e6e8dc35fd8
parent: Prevent negative values for offset and pos in push_link() (diff)
download: w3m-da22157aa6c64931e0965507e706b5a1592a9c4c.tar.gz
w3m-da22157aa6c64931e0965507e706b5a1592a9c4c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/file.c b/file.c
index 483180a..f5ca8d2 100644
--- a/file.c
+++ b/file.c
@@ -6585,7 +6585,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
 		indent = h_env->envs[h_env->envc].indent;
 		if (obuf->bp.pos - i > indent) {
 		    Str line;
-		    append_tags(obuf);
+		    append_tags(obuf);	/* may reallocate the buffer */
+		    bp = obuf->line->ptr + obuf->bp.len;
 		    line = Strnew_charp(bp);
 		    Strshrink(obuf->line, obuf->line->length - obuf->bp.len);
 #ifdef FORMAT_NICE
author	Tatsuya Kinoshita <tats@debian.org>	2016-12-07 13:09:06 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2017-01-06 13:09:18 +0000
commit	da22157aa6c64931e0965507e706b5a1592a9c4c (patch)
tree	658d42f377003c2fbbf66e1304471e6e8dc35fd8
parent	Prevent negative values for offset and pos in push_link() (diff)
download	w3m-da22157aa6c64931e0965507e706b5a1592a9c4c.tar.gz w3m-da22157aa6c64931e0965507e706b5a1592a9c4c.zip