diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-06 16:25:49 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-24 10:23:34 +0000 |
| commit | 2e18e9a5987b2a330143528c106c774d4050af47 (patch) | |
| tree | c00743e06da073c63933dd76234a6a1b875edcad | |
| parent | Prevent global-buffer-overflow in wc_any_to_ucs() (diff) | |
| download | w3m-0.5.3+debian-19+deb8u1.tar.gz w3m-0.5.3+debian-19+deb8u1.zip | |
Prevent memory exhausted due to repeat appending "</table>"v0.5.3+debian-19+deb8u1
Bug-Debian: https://github.com/tats/w3m/issues/23 [CVE-2016-9633]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=216722ed7282cec4338b177ea9ffdd39ad1b8c8c
| -rw-r--r-- | file.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -6988,9 +6988,12 @@ completeHTMLstream(struct html_feed_environ *h_env, struct readbuffer *obuf) obuf->table_level = MAX_TABLE - 1; while (obuf->table_level >= 0) { + int tmp = obuf->table_level; table_mode[obuf->table_level].pre_mode &= ~(TBLM_SCRIPT | TBLM_STYLE | TBLM_PLAIN); HTMLlineproc1("</table>", h_env); + if (obuf->table_level >= tmp) + break; } } |