Fix multiple vulnerabilities (closes: #850432)

- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)
author: Tatsuya Kinoshita <tats@debian.org> 2017-01-06 14:18:40 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2017-01-06 14:18:40 +0000
commit: d73f74e2cb70297d1373d7fa8921881106dc0b58 (patch)
tree: 66567ba8a175389f4d72346e5440bae0eb882c76 /debian/patches/948_getmclen.patch
parent: Debian release 0.5.3-19+deb8u1 (diff)
download: w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.tar.gz
w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.zip
1 files changed, 76 insertions, 0 deletions
diff --git a/debian/patches/948_getmclen.patch b/debian/patches/948_getmclen.patch
new file mode 100644
index 0000000..1504f23
--- /dev/null
+++ b/debian/patches/948_getmclen.patch
@@ -0,0 +1,76 @@
+Subject: Prevent overflow beyond the end of string in caller of get_mclen()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/59
+Bug-Debian: https://github.com/tats/w3m/issues/73
+Bug-Debian: https://github.com/tats/w3m/issues/74
+Bug-Debian: https://github.com/tats/w3m/issues/75
+Bug-Debian: https://github.com/tats/w3m/issues/76
+Bug-Debian: https://github.com/tats/w3m/issues/78
+Bug-Debian: https://github.com/tats/w3m/issues/79
+Bug-Debian: https://github.com/tats/w3m/issues/80
+Bug-Debian: https://github.com/tats/w3m/issues/83
+Bug-Debian: https://github.com/tats/w3m/issues/84
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775
+
+---
+ file.c      |  2 +-
+ libwc/wtf.c | 11 ++++++++---
+ libwc/wtf.h |  3 +--
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/file.c b/file.c
+index f5ca8d2..4fe8239 100644
+--- a/file.c
++++ b/file.c
+@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width)
+ 	if (use_image) {
+ 	    if (n > nw) {
+ 		char *r;
+-		for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) {
++		for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) {
+ 		    if (n + get_mcwidth(r) > nw)
+ 			break;
+ 		}
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index adee338..e80d990 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p)
+     return w;
+ }
+ 
+-/*
+ size_t
+ wtf_len1(wc_uchar *p)
+ {
+-    return (size_t)WTF_LEN_MAP[*p];
++    size_t len, len_max = WTF_LEN_MAP[*p];
++
++    for (len = 0; *(p + len); len++)
++	if (len == len_max)
++	    break;
++    if (len == 0)
++	len = 1;
++    return len;
+ }
+-*/
+ 
+ size_t
+ wtf_len(wc_uchar *p)
+diff --git a/libwc/wtf.h b/libwc/wtf.h
+index ad47973..435526f 100644
+--- a/libwc/wtf.h
++++ b/libwc/wtf.h
+@@ -59,8 +59,7 @@ extern void       wtf_init(wc_ces ces1, wc_ces ces2);
+ #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \
+ 		      : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0))
+ extern int        wtf_strwidth(wc_uchar *p);
+-/* extern size_t  wtf_len1(wc_uchar *p); */
+-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)])
++extern size_t     wtf_len1(wc_uchar *p);
+ extern size_t     wtf_len(wc_uchar *p);
+ /* extern int     wtf_type(wc_uchar *p); */
+ #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)]
+-- 
+2.10.2
+
author	Tatsuya Kinoshita <tats@debian.org>	2017-01-06 14:18:40 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2017-01-06 14:18:40 +0000
commit	d73f74e2cb70297d1373d7fa8921881106dc0b58 (patch)
tree	66567ba8a175389f4d72346e5440bae0eb882c76 /debian/patches/948_getmclen.patch
parent	Debian release 0.5.3-19+deb8u1 (diff)
download	w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.tar.gz w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.zip