diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2017-01-06 14:18:40 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2017-01-06 14:18:40 +0000 |
| commit | d73f74e2cb70297d1373d7fa8921881106dc0b58 (patch) | |
| tree | 66567ba8a175389f4d72346e5440bae0eb882c76 /debian/patches/949_wtftowcs.patch | |
| parent | Debian release 0.5.3-19+deb8u1 (diff) | |
| download | w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.tar.gz w3m-d73f74e2cb70297d1373d7fa8921881106dc0b58.zip | |
Fix multiple vulnerabilities (closes: #850432)
- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
- New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
- New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
- New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
- New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
- New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
- New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
- New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
- New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
- New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
- New patch 948_getmclen.patch to fix buffer overflow
(tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
- New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
- New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
- New patch 953_formupdateline.patch to fix buffer overflow
(tats/w3m#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)
Diffstat (limited to 'debian/patches/949_wtftowcs.patch')
| -rw-r--r-- | debian/patches/949_wtftowcs.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/debian/patches/949_wtftowcs.patch b/debian/patches/949_wtftowcs.patch new file mode 100644 index 0000000..d53a1f9 --- /dev/null +++ b/debian/patches/949_wtftowcs.patch @@ -0,0 +1,36 @@ +Subject: Prevent overflow beyond the end of string for wtf to wcs macros +From: Tatsuya Kinoshita <tats@debian.org> +Bug-Debian: https://github.com/tats/w3m/issues/77 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d + +--- + libwc/wtf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libwc/wtf.c b/libwc/wtf.c +index e80d990..cdc6cbc 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p) + ((p)[3] = (((c) >> 7) & 0x7f) | 0x80), \ + ((p)[4] = ( (c) & 0x7f) | 0x80) + #define wtf_to_wcs16(p) \ ++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \ + ((wc_uint32)((p)[0] & 0x03) << 14) \ + | ((wc_uint32)((p)[1] & 0x7f) << 7) \ +- | ((wc_uint32)((p)[2] & 0x7f) ) ++ | ((wc_uint32)((p)[2] & 0x7f) )) + #define wtf_to_wcs32(p) \ ++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \ + ((wc_uint32)((p)[0] & 0x0f) << 28) \ + | ((wc_uint32)((p)[1] & 0x7f) << 21) \ + | ((wc_uint32)((p)[2] & 0x7f) << 14) \ + | ((wc_uint32)((p)[3] & 0x7f) << 7) \ +- | ((wc_uint32)((p)[4] & 0x7f) ) ++ | ((wc_uint32)((p)[4] & 0x7f) )) + + void + wtf_push(Str os, wc_ccs ccs, wc_uint32 code) +-- +2.10.2 + |