1 files changed, 36 insertions, 0 deletions

diff --git a/debian/patches/949_wtftowcs.patch b/debian/patches/949_wtftowcs.patch
new file mode 100644
index 0000000..d53a1f9
--- /dev/null
+++ b/debian/patches/949_wtftowcs.patch
@@ -0,0 +1,36 @@
+Subject: Prevent overflow beyond the end of string for wtf to wcs macros
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/77
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index e80d990..cdc6cbc 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p)
+     ((p)[3] = (((c) >>  7) & 0x7f) | 0x80), \
+     ((p)[4] = ( (c)        & 0x7f) | 0x80)
+ #define wtf_to_wcs16(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x03) << 14) \
+     | ((wc_uint32)((p)[1] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[2] & 0x7f)      )
++    | ((wc_uint32)((p)[2] & 0x7f)      ))
+ #define wtf_to_wcs32(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x0f) << 28) \
+     | ((wc_uint32)((p)[1] & 0x7f) << 21) \
+     | ((wc_uint32)((p)[2] & 0x7f) << 14) \
+     | ((wc_uint32)((p)[3] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[4] & 0x7f)      )
++    | ((wc_uint32)((p)[4] & 0x7f)      ))
+ 
+ void
+ wtf_push(Str os, wc_ccs ccs, wc_uint32 code)
+-- 
+2.10.2
+