Fix multiple vulnerabilities (closes: #850432)

- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
- New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
- New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
- New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
- New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
- New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
- New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
- New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
- New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
- New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
- New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
- New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (tats/w3m#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)

1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/945_wtfstrwidth.patch b/debian/patches/945_wtfstrwidth.patch
new file mode 100644
index 0000000..36ee878
--- /dev/null
+++ b/debian/patches/945_wtfstrwidth.patch
@@ -0,0 +1,40 @@
+Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/57
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index b8cfdc7..adee338 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -120,8 +120,9 @@ int
+ wtf_strwidth(wc_uchar *p)
+ {
+     int w = 0;
++    wc_uchar *q = p + strlen(p);
+ 
+-    while (*p) {
++    while (p < q) {
+ 	w += wtf_width(p);
+ 	p += WTF_LEN_MAP[*p];
+     }
+@@ -140,9 +141,10 @@ size_t
+ wtf_len(wc_uchar *p)
+ {
+     wc_uchar *q = p;
++    wc_uchar *strz = p + strlen(p);
+ 
+     q += WTF_LEN_MAP[*q];
+-    while (*q && ! WTF_WIDTH_MAP[*q])
++    while (q < strz && ! WTF_WIDTH_MAP[*q])
+ 	q += WTF_LEN_MAP[*q];
+     return q - p;
+ }
+-- 
+2.10.2
+