aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:20:05 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:20:05 +0000
commitcd811dbbb283e997c3ba9f96680bbb740f159ed5 (patch)
tree30b3e109ef2fefc40ed22a20a61ad7a0865f7ae2
parentNew patch 910_input-alt.patch to fix null deref [CVE-2016-9438] (diff)
downloadw3m-cd811dbbb283e997c3ba9f96680bbb740f159ed5.tar.gz
w3m-cd811dbbb283e997c3ba9f96680bbb740f159ed5.zip
New patch 911_rowcolspan.patch to fix stack smashing [CVE-2016-9422]
-rw-r--r--debian/patches/911_rowcolspan.patch26
-rw-r--r--debian/patches/series1
2 files changed, 27 insertions, 0 deletions
diff --git a/debian/patches/911_rowcolspan.patch b/debian/patches/911_rowcolspan.patch
new file mode 100644
index 0000000..a6943bd
--- /dev/null
+++ b/debian/patches/911_rowcolspan.patch
@@ -0,0 +1,26 @@
+Subject: Fix table rowspan and colspan
+Author: Kuang-che Wu <kcwu@google.com>
+Origin: https://github.com/tats/w3m/pull/19
+Bug-Debian: https://github.com/tats/w3m/issues/8 [CVE-2016-9422]
+
+diff --git a/table.c b/table.c
+index d376284..deeab0a 100644
+--- a/table.c
++++ b/table.c
+@@ -2600,12 +2600,16 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ if ((tbl->row + rowspan) >= tbl->max_rowsize)
+ check_row(tbl, tbl->row + rowspan);
+ }
++ if (rowspan < 1)
++ rowspan = 1;
+ if (parsedtag_get_value(tag, ATTR_COLSPAN, &colspan)) {
+ if ((tbl->col + colspan) >= MAXCOL) {
+ /* Can't expand column */
+ colspan = MAXCOL - tbl->col;
+ }
+ }
++ if (colspan < 1)
++ colspan = 1;
+ if (parsedtag_get_value(tag, ATTR_ALIGN, &i)) {
+ switch (i) {
+ case ALIGN_LEFT:
diff --git a/debian/patches/series b/debian/patches/series
index 02b2580..4adc8e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,3 +46,4 @@
908_forms.patch
909_button-type.patch
910_input-alt.patch
+911_rowcolspan.patch