Fix segfault on bogus text

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820162
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7bb2a4671503c41d63989dcef9ef54dea0c73b43
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1324348
cf. https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182697.html

1 files changed, 6 insertions, 0 deletions

diff --git a/libwc/ucs.c b/libwc/ucs.c
index d7b6948..061e1ce 100644
--- a/libwc/ucs.c
+++ b/libwc/ucs.c
@@ -108,6 +108,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 {
     int f;
     wc_uint16 *map = NULL;
+    wc_uint32 map_size = 0x80;
     wc_map *map2;
 
     f = WC_CCS_INDEX(cc.ccs);
@@ -138,6 +139,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_ISO_BASE || f > WC_F_CS94W_END)
 	    return 0;
 	map = cs94w_ucs_map[f - WC_F_ISO_BASE];
+	map_size = cs94w_ucs_map_size[f - WC_F_ISO_BASE];
 	cc.code = WC_CS94W_N(cc.code);
 	break;
     case WC_CCS_A_CS96:
@@ -150,6 +152,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_ISO_BASE || f > WC_F_CS96W_END)
 	    return WC_C_UCS4_ERROR;
 	map = cs96w_ucs_map[f - WC_F_ISO_BASE];
+	map_size = cs96w_ucs_map_size[f - WC_F_ISO_BASE];
 	cc.code = WC_CS96W_N(cc.code);
 	break;
     case WC_CCS_A_CS942:
@@ -180,6 +183,7 @@ wc_any_to_ucs(wc_wchar_t cc)
 	if (f < WC_F_PCS_BASE || f > WC_F_PCSW_END)
 	    return WC_C_UCS4_ERROR;
 	map = pcsw_ucs_map[f - WC_F_PCS_BASE];
+	map_size = pcsw_ucs_map_size[f - WC_F_PCS_BASE];
 	switch (cc.ccs) {
 	case WC_CCS_BIG5:
 	    cc.code = WC_BIG5_N(cc.code);
@@ -271,6 +275,8 @@ wc_any_to_ucs(wc_wchar_t cc)
     }
     if (map == NULL)
 	return WC_C_UCS4_ERROR;
+    if (map_size == 0 || cc.code > map_size - 1)
+	return WC_C_UCS4_ERROR;
     cc.code = map[cc.code];
     return cc.code ? cc.code : WC_C_UCS4_ERROR;
 }