aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-10-07 22:06:12 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-10-07 22:06:12 +0000
commitd01de738f599441740437c6600dd5b1ae7155d27 (patch)
tree9432793ad8798215e445384e3e4586f45216d717
parentFix null pointer dereference in formUpdateBuffer (diff)
downloadw3m-d01de738f599441740437c6600dd5b1ae7155d27.tar.gz
w3m-d01de738f599441740437c6600dd5b1ae7155d27.zip
Prevent global-buffer-overflow write in formUpdateBuffer
Bug-Debian: https://github.com/tats/w3m/issues/29
-rw-r--r--form.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/form.c b/form.c
index 1e3aaad..71c19d0 100644
--- a/form.c
+++ b/form.c
@@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
switch (form->type) {
case FORM_INPUT_CHECKBOX:
case FORM_INPUT_RADIO:
+ if (spos >= buf->currentLine->len || spos < 0)
+ break;
if (form->checked)
buf->currentLine->lineBuf[spos] = '*';
else
@@ -485,7 +487,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
spos = a->start.pos;
epos = a->end.pos;
}
- if (a->start.line != a->end.line || spos > epos || epos >= l->len)
+ if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
break;
pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
rows > 1,