diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:20:05 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:20:05 +0000 |
commit | cd811dbbb283e997c3ba9f96680bbb740f159ed5 (patch) | |
tree | 30b3e109ef2fefc40ed22a20a61ad7a0865f7ae2 | |
parent | New patch 910_input-alt.patch to fix null deref [CVE-2016-9438] (diff) | |
download | w3m-cd811dbbb283e997c3ba9f96680bbb740f159ed5.tar.gz w3m-cd811dbbb283e997c3ba9f96680bbb740f159ed5.zip |
New patch 911_rowcolspan.patch to fix stack smashing [CVE-2016-9422]
-rw-r--r-- | debian/patches/911_rowcolspan.patch | 26 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 27 insertions, 0 deletions
diff --git a/debian/patches/911_rowcolspan.patch b/debian/patches/911_rowcolspan.patch new file mode 100644 index 0000000..a6943bd --- /dev/null +++ b/debian/patches/911_rowcolspan.patch @@ -0,0 +1,26 @@ +Subject: Fix table rowspan and colspan +Author: Kuang-che Wu <kcwu@google.com> +Origin: https://github.com/tats/w3m/pull/19 +Bug-Debian: https://github.com/tats/w3m/issues/8 [CVE-2016-9422] + +diff --git a/table.c b/table.c +index d376284..deeab0a 100644 +--- a/table.c ++++ b/table.c +@@ -2600,12 +2600,16 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode, + if ((tbl->row + rowspan) >= tbl->max_rowsize) + check_row(tbl, tbl->row + rowspan); + } ++ if (rowspan < 1) ++ rowspan = 1; + if (parsedtag_get_value(tag, ATTR_COLSPAN, &colspan)) { + if ((tbl->col + colspan) >= MAXCOL) { + /* Can't expand column */ + colspan = MAXCOL - tbl->col; + } + } ++ if (colspan < 1) ++ colspan = 1; + if (parsedtag_get_value(tag, ATTR_ALIGN, &i)) { + switch (i) { + case ALIGN_LEFT: diff --git a/debian/patches/series b/debian/patches/series index 02b2580..4adc8e3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -46,3 +46,4 @@ 908_forms.patch 909_button-type.patch 910_input-alt.patch +911_rowcolspan.patch |