Prevent segfault for formUpdateBuffer

Bug-Debian: https://github.com/tats/w3m/issues/13 [CVE-2016-9432] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=807e8b7fbffca6dcaf5db40e35f05d05c5cf02d3 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7b88478227978a8d673b4dd0e05eee410cc33330
author: Tatsuya Kinoshita <tats@debian.org> 2016-08-17 12:10:30 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2016-11-19 05:11:41 +0000
commit: ddf28e2cf9e16a559a08ee10ea60d1683b894a16 (patch)
tree: a1b16870733ff0c179ad2821afce86c0c1143265 /form.c
parent: Prevent negative array index for selectnumber and textareanumber (diff)
download: w3m-ddf28e2cf9e16a559a08ee10ea60d1683b894a16.tar.gz
w3m-ddf28e2cf9e16a559a08ee10ea60d1683b894a16.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/form.c b/form.c
index da115fa..779ba2f 100644
--- a/form.c
+++ b/form.c
@@ -481,8 +481,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
 		spos = a->start.pos;
 		epos = a->end.pos;
 	    }
-	    if (a->start.line != a->end.line || spos > epos)
-		epos = spos;
+	    if (a->start.line != a->end.line || spos > epos || epos >= l->len)
+		break;
 	    pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
 				   rows > 1,
 				   form->type == FORM_INPUT_PASSWORD);
author	Tatsuya Kinoshita <tats@debian.org>	2016-08-17 12:10:30 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2016-11-19 05:11:41 +0000
commit	ddf28e2cf9e16a559a08ee10ea60d1683b894a16 (patch)
tree	a1b16870733ff0c179ad2821afce86c0c1143265 /form.c
parent	Prevent negative array index for selectnumber and textareanumber (diff)
download	w3m-ddf28e2cf9e16a559a08ee10ea60d1683b894a16.tar.gz w3m-ddf28e2cf9e16a559a08ee10ea60d1683b894a16.zip