diff options
author | Tatsuya Kinoshita <tats@debian.org> | 2016-11-15 11:11:52 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2016-11-19 05:47:17 +0000 |
commit | 0a04bf8a1cb3868ace621b092d26cefdeb5ec359 (patch) | |
tree | 0476b69f095d69e58fb647fc5a5eeb06b847346d /table.c | |
parent | Prevent global-buffer-overflow write in formUpdateBuffer (diff) | |
download | w3m-0a04bf8a1cb3868ace621b092d26cefdeb5ec359.tar.gz w3m-0a04bf8a1cb3868ace621b092d26cefdeb5ec359.zip |
Prevent infinite recursion with nested table and textarea
Bug-Debian: https://github.com/tats/w3m/issues/20 [CVE-2016-9439]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=2a4a2fb9f116b50e7c80d573db06c0fdc6c69272
Diffstat (limited to '')
-rw-r--r-- | table.c | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -1624,6 +1624,15 @@ get_table_width(struct table *t, short *orgwidth, short *cellwidth, int flag) #define fixed_table_width(t)\ (get_table_width(t,t->fixed_width,t->cell.fixed_width,CHECK_MINIMUM)) +#define MAX_COTABLE_LEVEL 100 +static int cotable_level; + +void +initRenderTable(void) +{ + cotable_level = 0; +} + void renderCoTable(struct table *tbl, int maxlimit) { @@ -1634,6 +1643,10 @@ renderCoTable(struct table *tbl, int maxlimit) int i, col, row; int indent, maxwidth; + if (cotable_level >= MAX_COTABLE_LEVEL) + return; /* workaround to prevent infinite recursion */ + cotable_level++; + for (i = 0; i < tbl->ntable; i++) { t = tbl->tables[i].ptr; col = tbl->tables[i].col; |