aboutsummaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 14:39:06 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:39:06 +0000
commit109d4215269987279f9d4021ec16f37227fedf3a (patch)
treed5713d30982c2bbe36e52c6fda72714596526bf9 /debian/patches
parentNew patch 915_table-alt.patch to fix near-null deref [CVE-2016-9441] (diff)
downloadw3m-109d4215269987279f9d4021ec16f37227fedf3a.tar.gz
w3m-109d4215269987279f9d4021ec16f37227fedf3a.zip
New patch 916_anchor.patch to fix heap write
[CVE-2016-9425] [CVE-2016-9428]
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/916_anchor.patch19
-rw-r--r--debian/patches/series1
2 files changed, 20 insertions, 0 deletions
diff --git a/debian/patches/916_anchor.patch b/debian/patches/916_anchor.patch
new file mode 100644
index 0000000..a5dbe61
--- /dev/null
+++ b/debian/patches/916_anchor.patch
@@ -0,0 +1,19 @@
+Subject: Prevent segfault due to buffer overflows in addMultirowsForm
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/21 [CVE-2016-9425]
+Bug-Debian: https://github.com/tats/w3m/issues/26 [CVE-2016-9428]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4e464819dd360ffd3d58fa2a89216fe413cfcc74
+
+diff --git a/anchor.c b/anchor.c
+index 39f221d..e006aea 100644
+--- a/anchor.c
++++ b/anchor.c
+@@ -687,6 +687,8 @@ addMultirowsForm(Buffer *buf, AnchorList *al)
+ a->hseq = a_form.hseq;
+ a->y = a_form.y;
+ a->end.pos = pos + ecol - col;
++ if (pos < 1 || a->end.pos >= l->size)
++ continue;
+ l->lineBuf[pos - 1] = '[';
+ l->lineBuf[a->end.pos] = ']';
+ for (k = pos; k < a->end.pos; k++)
diff --git a/debian/patches/series b/debian/patches/series
index fb9b5b7..2720145 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -51,3 +51,4 @@
913_tabwidth.patch
914_curline.patch
915_table-alt.patch
+916_anchor.patch