aboutsummaryrefslogtreecommitdiffstats
path: root/form.c
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@debian.org>2016-08-17 10:47:19 +0000
committerTatsuya Kinoshita <tats@debian.org>2016-11-19 05:11:41 +0000
commitbde3a3e9a0b10a9274a837ea09296400cdd513c9 (patch)
tree77fefdef511b43781043417cf3a04ec556a37cfb /form.c
parentPrevent segfault for formUpdateBuffer (diff)
downloadw3m-bde3a3e9a0b10a9274a837ea09296400cdd513c9.tar.gz
w3m-bde3a3e9a0b10a9274a837ea09296400cdd513c9.zip
Prevent negative array index for selectnumber and textareanumber
Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
Diffstat (limited to '')
-rw-r--r--form.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/form.c b/form.c
index 87a5d49..da115fa 100644
--- a/form.c
+++ b/form.c
@@ -10,8 +10,10 @@
#include "regex.h"
extern Str *textarea_str;
+extern int max_textarea;
#ifdef MENU_SELECT
extern FormSelectOption *select_option;
+extern int max_select;
#include "menu.h"
#endif /* MENU_SELECT */
@@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
parsedtag_get_value(tag, ATTR_SIZE, &item->size);
parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
item->readonly = parsedtag_exists(tag, ATTR_READONLY);
- if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
+ if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
+ && i >= 0 && i < max_textarea)
item->value = item->init_value = textarea_str[i];
#ifdef MENU_SELECT
- if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
+ if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
+ && i >= 0 && i < max_select)
item->select_option = select_option[i].first;
#endif /* MENU_SELECT */
if (parsedtag_get_value(tag, ATTR_ROWS, &p))
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-25 12:59:07 +0000