diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2021-04-10 23:18:36 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2021-04-24 14:39:52 +0000 |
| commit | 56ce2a2cc8c31a2e57a5055132c0caa626c9c67c (patch) | |
| tree | ce58563488439cbe0f4b58fc9aa940f4fd571d3b /file.c | |
| parent | Check length of hostname with STR_SIZE_MAX (diff) | |
| download | w3m-56ce2a2cc8c31a2e57a5055132c0caa626c9c67c.tar.gz w3m-56ce2a2cc8c31a2e57a5055132c0caa626c9c67c.zip | |
Prevent integer overflow due to fontstat
Diffstat (limited to 'file.c')
| -rw-r--r-- | file.c | 21 |
1 files changed, 14 insertions, 7 deletions
@@ -3196,7 +3196,8 @@ save_fonteffect(struct html_feed_environ *h_env, struct readbuffer *obuf) if (obuf->fontstat_sp < FONT_STACK_SIZE) bcopy(obuf->fontstat, obuf->fontstat_stack[obuf->fontstat_sp], FONTSTAT_SIZE); - obuf->fontstat_sp++; + if (obuf->fontstat_sp < INT_MAX) + obuf->fontstat_sp++; if (obuf->in_bold) push_tag(obuf, "</b>", HTML_N_B); if (obuf->in_italic) @@ -4493,7 +4494,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) switch (cmd) { case HTML_B: - obuf->in_bold++; + if (obuf->in_bold < FONTSTAT_MAX) + obuf->in_bold++; if (obuf->in_bold > 1) return 1; return 0; @@ -4507,7 +4509,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) } return 1; case HTML_I: - obuf->in_italic++; + if (obuf->in_italic < FONTSTAT_MAX) + obuf->in_italic++; if (obuf->in_italic > 1) return 1; return 0; @@ -4521,7 +4524,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) } return 1; case HTML_U: - obuf->in_under++; + if (obuf->in_under < FONTSTAT_MAX) + obuf->in_under++; if (obuf->in_under > 1) return 1; return 0; @@ -5359,7 +5363,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) HTMLlineproc1("<U>[DEL:</U>", h_env); break; case DISPLAY_INS_DEL_FONTIFY: - obuf->in_strike++; + if (obuf->in_strike < FONTSTAT_MAX) + obuf->in_strike++; if (obuf->in_strike == 1) { push_tag(obuf, "<s>", HTML_S); } @@ -5396,7 +5401,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) HTMLlineproc1("<U>[S:</U>", h_env); break; case DISPLAY_INS_DEL_FONTIFY: - obuf->in_strike++; + if (obuf->in_strike < FONTSTAT_MAX) + obuf->in_strike++; if (obuf->in_strike == 1) { push_tag(obuf, "<s>", HTML_S); } @@ -5432,7 +5438,8 @@ HTMLtagproc1(struct parsed_tag *tag, struct html_feed_environ *h_env) HTMLlineproc1("<U>[INS:</U>", h_env); break; case DISPLAY_INS_DEL_FONTIFY: - obuf->in_ins++; + if (obuf->in_ins < FONTSTAT_MAX) + obuf->in_ins++; if (obuf->in_ins == 1) { push_tag(obuf, "<ins>", HTML_INS); } |