aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 13:52:38 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:03:33 +0000
commit193c217dabdb4d29ecb44af8d7e3f91bfd84e851 (patch)
tree33b2f145d8dbb8724c9b144138fea486b0f1b7d7
parentNew patch 906_form-update.patch to fix bcopy size [CVE-2016-9432] (diff)
downloadw3m-193c217dabdb4d29ecb44af8d7e3f91bfd84e851.tar.gz
w3m-193c217dabdb4d29ecb44af8d7e3f91bfd84e851.zip
New patch 907_iso2022.patch to fix array index [CVE-2016-9433]
-rw-r--r--debian/patches/907_iso2022.patch63
-rw-r--r--debian/patches/series1
2 files changed, 64 insertions, 0 deletions
diff --git a/debian/patches/907_iso2022.patch b/debian/patches/907_iso2022.patch
new file mode 100644
index 0000000..60fa173
--- /dev/null
+++ b/debian/patches/907_iso2022.patch
@@ -0,0 +1,63 @@
+Subject: Prevent segfault when iso2022 parsing
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/14 [CVE-2016-9433]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=9cf6926c5d947371dc9e44f32bc7a2fbfca5d469
+
+diff --git a/libwc/iso2022.c b/libwc/iso2022.c
+index 33d9a19..59f35de 100644
+--- a/libwc/iso2022.c
++++ b/libwc/iso2022.c
+@@ -405,7 +405,8 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st)
+ case WC_CCS_A_CS94:
+ if (cc.ccs == WC_CCS_US_ASCII)
+ cc.ccs = st->g0_ccs;
+- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ break;
+ case WC_CCS_A_CS94W:
+ is_wide = 1;
+@@ -435,31 +436,37 @@ wc_push_to_iso2022(Str os, wc_wchar_t cc, wc_status *st)
+ break;
+ #endif
+ }
+- g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs94w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ break;
+ case WC_CCS_A_CS96:
+- g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs96_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ break;
+ case WC_CCS_A_CS96W:
+ is_wide = 1;
+- g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs96w_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ break;
+ case WC_CCS_A_CS942:
+- g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs942_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ break;
+ case WC_CCS_A_UNKNOWN_W:
+ if (WcOption.no_replace)
+ return;
+ is_wide = 1;
+ cc.ccs = WC_CCS_US_ASCII;
+- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ cc.code = ((wc_uint32)WC_REPLACE_W[0] << 8) | WC_REPLACE_W[1];
+ break;
+ case WC_CCS_A_UNKNOWN:
+ if (WcOption.no_replace)
+ return;
+ cc.ccs = WC_CCS_US_ASCII;
+- g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
++ if (WC_CCS_INDEX(cc.ccs) >= WC_F_ISO_BASE)
++ g = cs94_gmap[WC_CCS_INDEX(cc.ccs) - WC_F_ISO_BASE];
+ cc.code = (wc_uint32)WC_REPLACE[0];
+ break;
+ default:
diff --git a/debian/patches/series b/debian/patches/series
index 799a10b..30a6564 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,4 @@
904_form-update.patch
905_textarea.patch
906_form-update.patch
+907_iso2022.patch