aboutsummaryrefslogtreecommitdiffstats
path: root/debian/patches/905_textarea.patch
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 13:41:44 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:03:33 +0000
commitb2485c4c90a43503c461c251d377683c03d76b4d (patch)
tree390a13123d4b0f28ef4434ba638f29e8dc8668b9 /debian/patches/905_textarea.patch
parentNew patch 904_form-update.patch to fix overflow (diff)
downloadw3m-b2485c4c90a43503c461c251d377683c03d76b4d.tar.gz
w3m-b2485c4c90a43503c461c251d377683c03d76b4d.zip
New patch 905_textarea.patch to fix heap write [CVE-2016-9424]
Diffstat (limited to 'debian/patches/905_textarea.patch')
-rw-r--r--debian/patches/905_textarea.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/905_textarea.patch b/debian/patches/905_textarea.patch
new file mode 100644
index 0000000..86d53c6
--- /dev/null
+++ b/debian/patches/905_textarea.patch
@@ -0,0 +1,75 @@
+Subject: Prevent negative array index for selectnumber and textareanumber
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
+
+diff --git a/file.c b/file.c
+index d06b2cf..4056393 100644
+--- a/file.c
++++ b/file.c
+@@ -67,7 +67,7 @@ static int cur_status;
+ #ifdef MENU_SELECT
+ /* menu based <select> */
+ FormSelectOption *select_option;
+-static int max_select = MAX_SELECT;
++int max_select = MAX_SELECT;
+ static int n_select;
+ static int cur_option_maxwidth;
+ #endif /* MENU_SELECT */
+@@ -79,7 +79,7 @@ static int cur_textarea_rows;
+ static int cur_textarea_readonly;
+ static int n_textarea;
+ static int ignore_nl_textarea;
+-static int max_textarea = MAX_TEXTAREA;
++int max_textarea = MAX_TEXTAREA;
+
+ static int http_response_code;
+
+@@ -5986,7 +5986,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ case HTML_TEXTAREA_INT:
+ if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
+ &n_textarea)
+- && n_textarea < max_textarea) {
++ && n_textarea >= 0 && n_textarea < max_textarea) {
+ textarea_str[n_textarea] = Strnew();
+ }
+ else
+@@ -6003,7 +6003,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ #ifdef MENU_SELECT
+ case HTML_SELECT_INT:
+ if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
+- && n_select < max_select) {
++ && n_select >= 0 && n_select < max_select) {
+ select_option[n_select].first = NULL;
+ select_option[n_select].last = NULL;
+ }
+diff --git a/form.c b/form.c
+index 87a5d49..da115fa 100644
+--- a/form.c
++++ b/form.c
+@@ -10,8 +10,10 @@
+ #include "regex.h"
+
+ extern Str *textarea_str;
++extern int max_textarea;
+ #ifdef MENU_SELECT
+ extern FormSelectOption *select_option;
++extern int max_select;
+ #include "menu.h"
+ #endif /* MENU_SELECT */
+
+@@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
+ parsedtag_get_value(tag, ATTR_SIZE, &item->size);
+ parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
+ item->readonly = parsedtag_exists(tag, ATTR_READONLY);
+- if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
++ if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
++ && i >= 0 && i < max_textarea)
+ item->value = item->init_value = textarea_str[i];
+ #ifdef MENU_SELECT
+- if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
++ if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
++ && i >= 0 && i < max_select)
+ item->select_option = select_option[i].first;
+ #endif /* MENU_SELECT */
+ if (parsedtag_get_value(tag, ATTR_ROWS, &p))