diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:51:40 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-21 14:51:40 +0000 |
commit | a6b7f6829f9377899a62b3a13755befc9de297db (patch) | |
tree | 55d3f2c716051256047188b0ff0dfd8d828746a7 /debian/patches/919_form-update.patch | |
parent | New patch 918_form-value.patch to fix null deref [CVE-2016-9443] (diff) | |
download | w3m-a6b7f6829f9377899a62b3a13755befc9de297db.tar.gz w3m-a6b7f6829f9377899a62b3a13755befc9de297db.zip |
New patch 919_form-update.patch to fix buffer overflow [CVE-2016-9429]
Diffstat (limited to 'debian/patches/919_form-update.patch')
-rw-r--r-- | debian/patches/919_form-update.patch | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/debian/patches/919_form-update.patch b/debian/patches/919_form-update.patch new file mode 100644 index 0000000..bfd1d8a --- /dev/null +++ b/debian/patches/919_form-update.patch @@ -0,0 +1,27 @@ +Subject: Prevent global-buffer-overflow write in formUpdateBuffer +Author: Tatsuya Kinoshita <tats@debian.org> +Bug-Debian: https://github.com/tats/w3m/issues/29 [CVE-2016-9429] +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d01de738f599441740437c6600dd5b1ae7155d27 + +diff --git a/form.c b/form.c +index e891df1..de7a4d9 100644 +--- a/form.c ++++ b/form.c +@@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) + switch (form->type) { + case FORM_INPUT_CHECKBOX: + case FORM_INPUT_RADIO: ++ if (spos >= buf->currentLine->len || spos < 0) ++ break; + if (form->checked) + buf->currentLine->lineBuf[spos] = '*'; + else +@@ -487,7 +489,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) + spos = a->start.pos; + epos = a->end.pos; + } +- if (a->start.line != a->end.line || spos > epos || epos >= l->len) ++ if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0) + break; + pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, + rows > 1, |