Prevent negative array index for selectnumber and textareanumber

Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58

1 files changed, 4 insertions, 4 deletions

diff --git a/file.c b/file.c
index d06b2cf..4056393 100644
--- a/file.c
+++ b/file.c
@@ -67,7 +67,7 @@ static int cur_status;
 #ifdef MENU_SELECT
 /* menu based <select>  */
 FormSelectOption *select_option;
-static int max_select = MAX_SELECT;
+int max_select = MAX_SELECT;
 static int n_select;
 static int cur_option_maxwidth;
 #endif				/* MENU_SELECT */
@@ -79,7 +79,7 @@ static int cur_textarea_rows;
 static int cur_textarea_readonly;
 static int n_textarea;
 static int ignore_nl_textarea;
-static int max_textarea = MAX_TEXTAREA;
+int max_textarea = MAX_TEXTAREA;
 
 static int http_response_code;
 
@@ -5986,7 +5986,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
 		case HTML_TEXTAREA_INT:
 		    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
 					    &n_textarea)
-			&& n_textarea < max_textarea) {
+			&& n_textarea >= 0 && n_textarea < max_textarea) {
 			textarea_str[n_textarea] = Strnew();
 		    }
 		    else
@@ -6003,7 +6003,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
 #ifdef MENU_SELECT
 		case HTML_SELECT_INT:
 		    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
-			&& n_select < max_select) {
+			&& n_select >= 0 && n_select < max_select) {
 			select_option[n_select].first = NULL;
 			select_option[n_select].last = NULL;
 		    }