Fix multiple vulnerabilities (closes: #850432)

- New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
- New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
- New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
- New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
- New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
- New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
- New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
- New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
- New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
- New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
- New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
- New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
- New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
- New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
- New patch 948_getmclen.patch to fix buffer overflow
  (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
- New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
- New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
- New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
- New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
- New patch 953_formupdateline.patch to fix buffer overflow
  (tats/w3m#68#issuecomment-266214643)
- New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)

1 files changed, 84 insertions, 0 deletions

diff --git a/debian/patches/954_wtfparse1.patch b/debian/patches/954_wtfparse1.patch
new file mode 100644
index 0000000..62b5e91
--- /dev/null
+++ b/debian/patches/954_wtfparse1.patch
@@ -0,0 +1,84 @@
+Subject: Prevent overflow beyond the end of string in wtf_parse1()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=00433f4ac2645ac6236ea1892b4a93f26a039a84
+
+---
+ libwc/wtf.c | 44 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index cdc6cbc..94d95c1 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -397,7 +397,7 @@ wtf_parse1(wc_uchar **p)
+ 	cc.code = *(q++);
+     } else if (*q > 0xa0) {
+ 	cc.ccs = wtf_gr_ccs;
+-	if (WC_CCS_IS_WIDE(cc.ccs)) {
++	if (WC_CCS_IS_WIDE(cc.ccs) && *(q+1)) {
+ 	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+ 	    q += 2;
+ 	} else
+@@ -410,27 +410,47 @@ wtf_parse1(wc_uchar **p)
+ 	case WC_CCS_A_CS942:
+ 	case WC_CCS_A_PCS:
+ 	case WC_CCS_A_UNKNOWN:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = *(q++);
++	    if (*q && *(q+1)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = *(q++);
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_CS94W:
+ 	case WC_CCS_A_CS96W:
+ 	case WC_CCS_A_PCSW:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+-	    q += 2;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = ((wc_uint32)*q << 8) | *(q+1);
++		q += 2;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS16:
+ 	case WC_CCS_A_WCS16W:
+-	    cc.ccs |= (*q & 0x7c) >> 2;
+-	    cc.code = wtf_to_wcs16(q);
+-	    q += 3;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= (*q & 0x7c) >> 2;
++		cc.code = wtf_to_wcs16(q);
++		q += 3;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS32:
+ 	case WC_CCS_A_WCS32W:
+-	    cc.ccs |= (*q & 0x70) >> 4;
+-	    cc.code = wtf_to_wcs32(q);
+-	    q += 5;
++	    if (*q && *(q+1) && *(q+2) && *(q+3) && *(q+4)) {
++		cc.ccs |= (*q & 0x70) >> 4;
++		cc.code = wtf_to_wcs32(q);
++		q += 5;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	default:
+ 	/* case 0: */
+-- 
+2.10.2
+