aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-08-17 10:47:19 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-08-17 10:47:19 +0000
commita25fd09f74fb83499396935a96d63bb7cb8e2c58 (patch)
treebd6253483c701f480377482c722f074c28bc3ac9
parentUpdate ChangeLog (diff)
downloadw3m-a25fd09f74fb83499396935a96d63bb7cb8e2c58.tar.gz
w3m-a25fd09f74fb83499396935a96d63bb7cb8e2c58.zip
Prevent negative array index for selectnumber and textareanumber
Bug-Debian: https://github.com/tats/w3m/issues/12
-rw-r--r--file.c8
-rw-r--r--form.c8
2 files changed, 10 insertions, 6 deletions
diff --git a/file.c b/file.c
index ceabbc1..1e902a8 100644
--- a/file.c
+++ b/file.c
@@ -69,7 +69,7 @@ static int cur_status;
#ifdef MENU_SELECT
/* menu based <select> */
FormSelectOption *select_option;
-static int max_select = MAX_SELECT;
+int max_select = MAX_SELECT;
static int n_select;
static int cur_option_maxwidth;
#endif /* MENU_SELECT */
@@ -81,7 +81,7 @@ static int cur_textarea_rows;
static int cur_textarea_readonly;
static int n_textarea;
static int ignore_nl_textarea;
-static int max_textarea = MAX_TEXTAREA;
+int max_textarea = MAX_TEXTAREA;
static int http_response_code;
@@ -6014,7 +6014,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
case HTML_TEXTAREA_INT:
if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
&n_textarea)
- && n_textarea < max_textarea) {
+ && n_textarea >= 0 && n_textarea < max_textarea) {
textarea_str[n_textarea] = Strnew();
}
else
@@ -6031,7 +6031,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
#ifdef MENU_SELECT
case HTML_SELECT_INT:
if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
- && n_select < max_select) {
+ && n_select >= 0 && n_select < max_select) {
select_option[n_select].first = NULL;
select_option[n_select].last = NULL;
}
diff --git a/form.c b/form.c
index 87a5d49..da115fa 100644
--- a/form.c
+++ b/form.c
@@ -10,8 +10,10 @@
#include "regex.h"
extern Str *textarea_str;
+extern int max_textarea;
#ifdef MENU_SELECT
extern FormSelectOption *select_option;
+extern int max_select;
#include "menu.h"
#endif /* MENU_SELECT */
@@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
parsedtag_get_value(tag, ATTR_SIZE, &item->size);
parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
item->readonly = parsedtag_exists(tag, ATTR_READONLY);
- if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
+ if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
+ && i >= 0 && i < max_textarea)
item->value = item->init_value = textarea_str[i];
#ifdef MENU_SELECT
- if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
+ if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
+ && i >= 0 && i < max_select)
item->select_option = select_option[i].first;
#endif /* MENU_SELECT */
if (parsedtag_get_value(tag, ATTR_ROWS, &p))