diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2018-01-26 09:48:00 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2018-01-26 09:48:00 +0000 |
commit | cfe407def7d6fd10c905f7b20e57b85122a1c8d9 (patch) | |
tree | 6f019e679081ca32a15e525a5e69774c59f13274 /debian/patches/956_columnpos.patch | |
parent | New patch 955_tbl-indent.patch to fix stack overflow [CVE-2018-6196] (diff) | |
download | w3m-cfe407def7d6fd10c905f7b20e57b85122a1c8d9.tar.gz w3m-cfe407def7d6fd10c905f7b20e57b85122a1c8d9.zip |
New patch 956_columnpos.patch to fix null deref [CVE-2018-6197]
Diffstat (limited to 'debian/patches/956_columnpos.patch')
-rw-r--r-- | debian/patches/956_columnpos.patch | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/debian/patches/956_columnpos.patch b/debian/patches/956_columnpos.patch new file mode 100644 index 0000000..e8e6118 --- /dev/null +++ b/debian/patches/956_columnpos.patch @@ -0,0 +1,18 @@ +Subject: Prevent invalid columnPos() call in formUpdateBuffer() +From: Tatsuya Kinoshita <tats@debian.org> +Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197] +Origin: https://salsa.debian.org/debian/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 + +diff --git a/form.c b/form.c +index 0605513..0a71f9c 100644 +--- a/form.c ++++ b/form.c +@@ -483,6 +483,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) + rows = form->rows ? form->rows : 1; + col = COLPOS(l, a->start.pos); + for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) { ++ if (l == NULL) ++ break; + if (rows > 1) { + pos = columnPos(l, col); + a = retrieveAnchor(buf->formitem, l->linenumber, pos); |