aboutsummaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-11-21 13:33:32 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-21 14:03:01 +0000
commit4687f3303f61bb4bd8fbc0264d43f3a3dfb9f3d8 (patch)
tree204cabf316ce90becc08fe7e9b7f2161acae8b7b /debian/patches
parentNew patch 902_johab1.patch to fix array index (closes: #820373) (diff)
downloadw3m-4687f3303f61bb4bd8fbc0264d43f3a3dfb9f3d8.tar.gz
w3m-4687f3303f61bb4bd8fbc0264d43f3a3dfb9f3d8.zip
New patch 903_input-type.patch to fix null deref [CVE-2016-9430]
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/903_input-type.patch35
-rw-r--r--debian/patches/series1
2 files changed, 36 insertions, 0 deletions
diff --git a/debian/patches/903_input-type.patch b/debian/patches/903_input-type.patch
new file mode 100644
index 0000000..a7f5aee
--- /dev/null
+++ b/debian/patches/903_input-type.patch
@@ -0,0 +1,35 @@
+Subject: Prevent segfault with malformed input type
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/7 [CVE-2016-9430]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=59b91cd8e30c86f23476fa81ae005cabff49ebb6
+
+diff --git a/file.c b/file.c
+index 1e363d0..d06b2cf 100644
+--- a/file.c
++++ b/file.c
+@@ -3622,9 +3622,10 @@ process_input(struct parsed_tag *tag)
+ Strcat(tmp, getLinkNumberStr(0));
+ Strcat_char(tmp, '(');
+ }
+- Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=%s "
++ Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=\"%s\" "
+ "name=\"%s\" width=%d maxlength=%d value=\"%s\"",
+- cur_hseq++, cur_form_id, p, html_quote(r), w, i, qq));
++ cur_hseq++, cur_form_id, html_quote(p),
++ html_quote(r), w, i, qq));
+ if (x)
+ Strcat_charp(tmp, " checked");
+ if (y)
+@@ -3772,9 +3773,10 @@ process_button(struct parsed_tag *tag)
+ }
+
+ // Strcat_charp(tmp, "<pre_int>");
+- Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=%s "
++ Strcat(tmp, Sprintf("<input_alt hseq=\"%d\" fid=\"%d\" type=\"%s\" "
+ "name=\"%s\" value=\"%s\">",
+- cur_hseq++, cur_form_id, p, html_quote(r), qq));
++ cur_hseq++, cur_form_id, html_quote(p),
++ html_quote(r), qq));
+ return tmp;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 72bd87c..7df5c12 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,3 +38,4 @@
900_ChangeLog.patch
901_ucsmap.patch
902_johab1.patch
+903_input-type.patch