From 2115f92bbf11efd472a3ebc4bb9d0560fde99dc1 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Mon, 21 Nov 2016 23:09:44 +0900
Subject: New patch 909_button-type.patch to fix rodata write [CVE-2016-9437]

---
 debian/patches/909_button-type.patch | 27 +++++++++++++++++++++++++++
 debian/patches/series                |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 debian/patches/909_button-type.patch

diff --git a/debian/patches/909_button-type.patch b/debian/patches/909_button-type.patch
new file mode 100644
index 0000000..067db83
--- /dev/null
+++ b/debian/patches/909_button-type.patch
@@ -0,0 +1,27 @@
+Subject: Prevent segfault with incorrect button type
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/17 [CVE-2016-9437]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=67be73b03a5ad581e331ec97cb275cd8a52719ed
+
+diff --git a/file.c b/file.c
+index b30aa6b..3b7befe 100644
+--- a/file.c
++++ b/file.c
+@@ -3756,6 +3756,17 @@ process_button(struct parsed_tag *tag)
+     if (v == FORM_UNKNOWN)
+        return NULL;
+ 
++    switch (v) {
++    case FORM_INPUT_SUBMIT:
++    case FORM_INPUT_BUTTON:
++    case FORM_INPUT_RESET:
++	break;
++    default:
++	p = "submit";
++	v = FORM_INPUT_SUBMIT;
++	break;
++    }
++
+     if (!q) {
+        switch (v) {
+        case FORM_INPUT_SUBMIT:
diff --git a/debian/patches/series b/debian/patches/series
index 1d9a49d..74e09ac 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@
 906_form-update.patch
 907_iso2022.patch
 908_forms.patch
+909_button-type.patch
-- 
cgit v1.2.3