Prevent invalid columnPos() call in formUpdateBuffer()v0.5.3+debian-19+deb8u3 master-jessie

Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197]
author: Tatsuya Kinoshita <tats@debian.org> 2018-01-25 16:03:39 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2020-05-01 11:27:28 +0000
commit: f70b8f0a23e407c18e09dc5acbee7444844839d8 (patch)
tree: b4afce11b428cea6317e97f52ee4e021038c54f7
parent: Prevent negative indent value in feed_table_block_tag() (diff)
download: w3m-f70b8f0a23e407c18e09dc5acbee7444844839d8.tar.gz
w3m-f70b8f0a23e407c18e09dc5acbee7444844839d8.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/form.c b/form.c
index 0605513..0a71f9c 100644
--- a/form.c
+++ b/form.c
@@ -483,6 +483,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
 	rows = form->rows ? form->rows : 1;
 	col = COLPOS(l, a->start.pos);
 	for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {
+	    if (l == NULL)
+		break;
 	    if (rows > 1) {
 		pos = columnPos(l, col);
 		a = retrieveAnchor(buf->formitem, l->linenumber, pos);
author	Tatsuya Kinoshita <tats@debian.org>	2018-01-25 16:03:39 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2020-05-01 11:27:28 +0000
commit	f70b8f0a23e407c18e09dc5acbee7444844839d8 (patch)
tree	b4afce11b428cea6317e97f52ee4e021038c54f7
parent	Prevent negative indent value in feed_table_block_tag() (diff)
download	w3m-f70b8f0a23e407c18e09dc5acbee7444844839d8.tar.gz w3m-f70b8f0a23e407c18e09dc5acbee7444844839d8.zip