From 67acbc423185feb770add20116a22b3f8d1f42e7 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Fri, 26 Jan 2018 01:03:19 +0900
Subject: Prevent negative indent value in feed_table_block_tag()

Bug-Debian: https://github.com/tats/w3m/issues/88 [CVE-2018-6196]
---
 table.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/table.c b/table.c
index 1313533..0b6e65f 100644
--- a/table.c
+++ b/table.c
@@ -2357,10 +2357,14 @@ feed_table_block_tag(struct table *tbl,
 	if (mode->indent_level < MAX_INDENT_LEVEL)
 	    tbl->indent -= INDENT_INCR;
     }
+    if (tbl->indent < 0)
+	tbl->indent = 0;
     offset = tbl->indent;
     if (cmd == HTML_DT) {
 	if (mode->indent_level > 0 && mode->indent_level <= MAX_INDENT_LEVEL)
 	    offset -= INDENT_INCR;
+	if (offset < 0)
+	    offset = 0;
     }
     if (tbl->indent > 0) {
 	check_minimum0(tbl, 0);
-- 
cgit v1.2.3