diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2016-10-07 22:06:12 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-19 05:26:31 +0000 |
| commit | 7947052d2655da83175641f698bb3ae5a384b129 (patch) | |
| tree | 6f2ccac494a20172d12a0f985bed00c3a015d3ba | |
| parent | Fix null pointer dereference in formUpdateBuffer (diff) | |
| download | w3m-7947052d2655da83175641f698bb3ae5a384b129.tar.gz w3m-7947052d2655da83175641f698bb3ae5a384b129.zip | |
Prevent global-buffer-overflow write in formUpdateBuffer
Bug-Debian: https://github.com/tats/w3m/issues/29 [CVE-2016-9429]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d01de738f599441740437c6600dd5b1ae7155d27
| -rw-r--r-- | form.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) switch (form->type) { case FORM_INPUT_CHECKBOX: case FORM_INPUT_RADIO: + if (spos >= buf->currentLine->len || spos < 0) + break; if (form->checked) buf->currentLine->lineBuf[spos] = '*'; else @@ -487,7 +489,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) spos = a->start.pos; epos = a->end.pos; } - if (a->start.line != a->end.line || spos > epos || epos >= l->len) + if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0) break; pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, rows > 1, |