From b2485c4c90a43503c461c251d377683c03d76b4d Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Mon, 21 Nov 2016 22:41:44 +0900
Subject: New patch 905_textarea.patch to fix heap write [CVE-2016-9424]

---
 debian/patches/905_textarea.patch | 75 +++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |  1 +
 2 files changed, 76 insertions(+)
 create mode 100644 debian/patches/905_textarea.patch

diff --git a/debian/patches/905_textarea.patch b/debian/patches/905_textarea.patch
new file mode 100644
index 0000000..86d53c6
--- /dev/null
+++ b/debian/patches/905_textarea.patch
@@ -0,0 +1,75 @@
+Subject: Prevent negative array index for selectnumber and textareanumber
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
+
+diff --git a/file.c b/file.c
+index d06b2cf..4056393 100644
+--- a/file.c
++++ b/file.c
+@@ -67,7 +67,7 @@ static int cur_status;
+ #ifdef MENU_SELECT
+ /* menu based <select>  */
+ FormSelectOption *select_option;
+-static int max_select = MAX_SELECT;
++int max_select = MAX_SELECT;
+ static int n_select;
+ static int cur_option_maxwidth;
+ #endif				/* MENU_SELECT */
+@@ -79,7 +79,7 @@ static int cur_textarea_rows;
+ static int cur_textarea_readonly;
+ static int n_textarea;
+ static int ignore_nl_textarea;
+-static int max_textarea = MAX_TEXTAREA;
++int max_textarea = MAX_TEXTAREA;
+ 
+ static int http_response_code;
+ 
+@@ -5986,7 +5986,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ 		case HTML_TEXTAREA_INT:
+ 		    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
+ 					    &n_textarea)
+-			&& n_textarea < max_textarea) {
++			&& n_textarea >= 0 && n_textarea < max_textarea) {
+ 			textarea_str[n_textarea] = Strnew();
+ 		    }
+ 		    else
+@@ -6003,7 +6003,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ #ifdef MENU_SELECT
+ 		case HTML_SELECT_INT:
+ 		    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
+-			&& n_select < max_select) {
++			&& n_select >= 0 && n_select < max_select) {
+ 			select_option[n_select].first = NULL;
+ 			select_option[n_select].last = NULL;
+ 		    }
+diff --git a/form.c b/form.c
+index 87a5d49..da115fa 100644
+--- a/form.c
++++ b/form.c
+@@ -10,8 +10,10 @@
+ #include "regex.h"
+ 
+ extern Str *textarea_str;
++extern int max_textarea;
+ #ifdef MENU_SELECT
+ extern FormSelectOption *select_option;
++extern int max_select;
+ #include "menu.h"
+ #endif				/* MENU_SELECT */
+ 
+@@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
+     parsedtag_get_value(tag, ATTR_SIZE, &item->size);
+     parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
+     item->readonly = parsedtag_exists(tag, ATTR_READONLY);
+-    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
++    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
++	&& i >= 0 && i < max_textarea)
+ 	item->value = item->init_value = textarea_str[i];
+ #ifdef MENU_SELECT
+-    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
++    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
++	&& i >= 0 && i < max_select)
+ 	item->select_option = select_option[i].first;
+ #endif				/* MENU_SELECT */
+     if (parsedtag_get_value(tag, ATTR_ROWS, &p))
diff --git a/debian/patches/series b/debian/patches/series
index 778955c..bb300fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,3 +40,4 @@
 902_johab1.patch
 903_input-type.patch
 904_form-update.patch
+905_textarea.patch
-- 
cgit v1.2.3