From d01de738f599441740437c6600dd5b1ae7155d27 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Sat, 8 Oct 2016 07:06:12 +0900 Subject: Prevent global-buffer-overflow write in formUpdateBuffer Bug-Debian: https://github.com/tats/w3m/issues/29 --- form.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/form.c b/form.c index 1e3aaad..71c19d0 100644 --- a/form.c +++ b/form.c @@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) switch (form->type) { case FORM_INPUT_CHECKBOX: case FORM_INPUT_RADIO: + if (spos >= buf->currentLine->len || spos < 0) + break; if (form->checked) buf->currentLine->lineBuf[spos] = '*'; else @@ -485,7 +487,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) spos = a->start.pos; epos = a->end.pos; } - if (a->start.line != a->end.line || spos > epos || epos >= l->len) + if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0) break; pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, rows > 1, -- cgit v1.2.3