Prevent invalid columnPos() call in formUpdateBuffer()

Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197]
author: Tatsuya Kinoshita <tats@debian.org> 2018-01-25 16:03:39 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2018-01-26 09:40:18 +0000
commit: 09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f (patch)
tree: e88005eb8a041a2ef4c3c9a92e7a726e66e09149
parent: Prevent negative indent value in feed_table_block_tag() (diff)
download: w3m-09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f.tar.gz
w3m-09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/form.c b/form.c
index 0605513..0a71f9c 100644
--- a/form.c
+++ b/form.c
@@ -483,6 +483,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
 	rows = form->rows ? form->rows : 1;
 	col = COLPOS(l, a->start.pos);
 	for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {
+	    if (l == NULL)
+		break;
 	    if (rows > 1) {
 		pos = columnPos(l, col);
 		a = retrieveAnchor(buf->formitem, l->linenumber, pos);
author	Tatsuya Kinoshita <tats@debian.org>	2018-01-25 16:03:39 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2018-01-26 09:40:18 +0000
commit	09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f (patch)
tree	e88005eb8a041a2ef4c3c9a92e7a726e66e09149
parent	Prevent negative indent value in feed_table_block_tag() (diff)
download	w3m-09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f.tar.gz w3m-09a3560c7f07ecbbbcf579b60d201ece8b2b7c1f.zip