diff options
| author | Tatsuya Kinoshita <tats@debian.org> | 2016-04-06 21:42:55 +0000 |
|---|---|---|
| committer | Tatsuya Kinoshita <tats@debian.org> | 2016-04-06 21:42:55 +0000 |
| commit | 7bb2a4671503c41d63989dcef9ef54dea0c73b43 (patch) | |
| tree | e43704e1f5ae0b762027fb3e6a817cc115ff7efb /libwc/ucs.c | |
| parent | Update ChangeLog (diff) | |
| download | w3m-7bb2a4671503c41d63989dcef9ef54dea0c73b43.tar.gz w3m-7bb2a4671503c41d63989dcef9ef54dea0c73b43.zip | |
Fix segfault on bogus text
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820162
Diffstat (limited to 'libwc/ucs.c')
| -rw-r--r-- | libwc/ucs.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libwc/ucs.c b/libwc/ucs.c index 5e78b4e..727e574 100644 --- a/libwc/ucs.c +++ b/libwc/ucs.c @@ -109,6 +109,7 @@ wc_any_to_ucs(wc_wchar_t cc) { int f; wc_uint16 *map = NULL; + wc_uint32 map_size = 0x80; wc_map *map2; f = WC_CCS_INDEX(cc.ccs); @@ -139,6 +140,7 @@ wc_any_to_ucs(wc_wchar_t cc) if (f < WC_F_ISO_BASE || f > WC_F_CS94W_END) return 0; map = cs94w_ucs_map[f - WC_F_ISO_BASE]; + map_size = cs94w_ucs_map_size[f - WC_F_ISO_BASE]; cc.code = WC_CS94W_N(cc.code); break; case WC_CCS_A_CS96: @@ -151,6 +153,7 @@ wc_any_to_ucs(wc_wchar_t cc) if (f < WC_F_ISO_BASE || f > WC_F_CS96W_END) return WC_C_UCS4_ERROR; map = cs96w_ucs_map[f - WC_F_ISO_BASE]; + map_size = cs96w_ucs_map_size[f - WC_F_ISO_BASE]; cc.code = WC_CS96W_N(cc.code); break; case WC_CCS_A_CS942: @@ -181,6 +184,7 @@ wc_any_to_ucs(wc_wchar_t cc) if (f < WC_F_PCS_BASE || f > WC_F_PCSW_END) return WC_C_UCS4_ERROR; map = pcsw_ucs_map[f - WC_F_PCS_BASE]; + map_size = pcsw_ucs_map_size[f - WC_F_PCS_BASE]; switch (cc.ccs) { case WC_CCS_BIG5: cc.code = WC_BIG5_N(cc.code); @@ -272,6 +276,8 @@ wc_any_to_ucs(wc_wchar_t cc) } if (map == NULL) return WC_C_UCS4_ERROR; + if (map_size == 0 || cc.code > map_size - 1) + return WC_C_UCS4_ERROR; cc.code = map[cc.code]; return cc.code ? cc.code : WC_C_UCS4_ERROR; } |