From d73f74e2cb70297d1373d7fa8921881106dc0b58 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Fri, 6 Jan 2017 23:18:40 +0900 Subject: Fix multiple vulnerabilities (closes: #850432) - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68) --- debian/patches/934_menu.patch | 25 +++++++++ debian/patches/935_shiftanchor.patch | 26 ++++++++++ debian/patches/936_metarefresh.patch | 28 +++++++++++ debian/patches/937_lineproc0.patch | 25 +++++++++ debian/patches/938_lineproc2body.patch | 25 +++++++++ debian/patches/939_textarea.patch | 25 +++++++++ debian/patches/940_tabattr.patch | 25 +++++++++ debian/patches/941_integeredwidth.patch | 34 +++++++++++++ debian/patches/942_tridvalue.patch | 28 +++++++++++ debian/patches/943_pushlink.patch | 32 ++++++++++++ debian/patches/944_lineproc0.patch | 26 ++++++++++ debian/patches/945_wtfstrwidth.patch | 40 +++++++++++++++ debian/patches/946_strnewsize.patch | 25 +++++++++ debian/patches/947_realcolumn.patch | 25 +++++++++ debian/patches/948_getmclen.patch | 76 ++++++++++++++++++++++++++++ debian/patches/949_wtftowcs.patch | 36 +++++++++++++ debian/patches/950_textarea.patch | 27 ++++++++++ debian/patches/951_lineproc0.patch | 25 +++++++++ debian/patches/952_formupdatebuffer.patch | 26 ++++++++++ debian/patches/953_formupdateline.patch | 26 ++++++++++ debian/patches/954_wtfparse1.patch | 84 +++++++++++++++++++++++++++++++ debian/patches/series | 21 ++++++++ 22 files changed, 710 insertions(+) create mode 100644 debian/patches/934_menu.patch create mode 100644 debian/patches/935_shiftanchor.patch create mode 100644 debian/patches/936_metarefresh.patch create mode 100644 debian/patches/937_lineproc0.patch create mode 100644 debian/patches/938_lineproc2body.patch create mode 100644 debian/patches/939_textarea.patch create mode 100644 debian/patches/940_tabattr.patch create mode 100644 debian/patches/941_integeredwidth.patch create mode 100644 debian/patches/942_tridvalue.patch create mode 100644 debian/patches/943_pushlink.patch create mode 100644 debian/patches/944_lineproc0.patch create mode 100644 debian/patches/945_wtfstrwidth.patch create mode 100644 debian/patches/946_strnewsize.patch create mode 100644 debian/patches/947_realcolumn.patch create mode 100644 debian/patches/948_getmclen.patch create mode 100644 debian/patches/949_wtftowcs.patch create mode 100644 debian/patches/950_textarea.patch create mode 100644 debian/patches/951_lineproc0.patch create mode 100644 debian/patches/952_formupdatebuffer.patch create mode 100644 debian/patches/953_formupdateline.patch create mode 100644 debian/patches/954_wtfparse1.patch diff --git a/debian/patches/934_menu.patch b/debian/patches/934_menu.patch new file mode 100644 index 0000000..b2421f6 --- /dev/null +++ b/debian/patches/934_menu.patch @@ -0,0 +1,25 @@ +Subject: Fix menu buffer-overflow +From: Kuang-che Wu +Bug-Debian: https://github.com/tats/w3m/pull/49 +Origin: https://github.com/tats/w3m/pull/49/commits/7e1c05dd90cf42a308e854881ea3813aed000d2e + +--- + menu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/menu.c b/menu.c +index 0f66583..6c5fee0 100644 +--- a/menu.c ++++ b/menu.c +@@ -1692,7 +1692,7 @@ initMenu(void) + FILE *mf; + MenuList *list; + +- w3mMenuList = New_N(MenuList, 3); ++ w3mMenuList = New_N(MenuList, 4); + w3mMenuList[0].id = "Main"; + w3mMenuList[0].menu = &MainMenu; + w3mMenuList[0].item = MainMenuItem; +-- +2.10.2 + diff --git a/debian/patches/935_shiftanchor.patch b/debian/patches/935_shiftanchor.patch new file mode 100644 index 0000000..7927290 --- /dev/null +++ b/debian/patches/935_shiftanchor.patch @@ -0,0 +1,26 @@ +Subject: Prevent negative array index for marks in shiftAnchorPosition() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/62 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d57c13282afc6b7dca029f992331b7afa0413356 + +--- + anchor.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/anchor.c b/anchor.c +index ecb211d..bed8db2 100644 +--- a/anchor.c ++++ b/anchor.c +@@ -551,7 +551,8 @@ shiftAnchorPosition(AnchorList *al, HmarkerList *hl, int line, int pos, + break; + if (a->start.pos > pos) { + a->start.pos += shift; +- if (hl && hl->marks && hl->marks[a->hseq].line == line) ++ if (hl && hl->marks && ++ a->hseq >= 0 && hl->marks[a->hseq].line == line) + hl->marks[a->hseq].pos = a->start.pos; + } + if (a->end.pos >= pos) +-- +2.10.2 + diff --git a/debian/patches/936_metarefresh.patch b/debian/patches/936_metarefresh.patch new file mode 100644 index 0000000..0014c64 --- /dev/null +++ b/debian/patches/936_metarefresh.patch @@ -0,0 +1,28 @@ +Subject: Prevent negative array index in getMetaRefreshParam() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/63 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6c6a2cbced21ceec2fac08fba1ad271a77f9dbc2 + +--- + file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/file.c b/file.c +index e82eaf1..18b350a 100644 +--- a/file.c ++++ b/file.c +@@ -4361,8 +4361,9 @@ getMetaRefreshParam(char *q, Str *refresh_uri) + r++; + s_tmp = Strnew_charp_n(q, r - q); + +- if (s_tmp->ptr[s_tmp->length - 1] == '\"' /* " */ +- || s_tmp->ptr[s_tmp->length - 1] == '\'') { /* ' */ ++ if (s_tmp->length > 0 && ++ (s_tmp->ptr[s_tmp->length - 1] == '\"' || /* " */ ++ s_tmp->ptr[s_tmp->length - 1] == '\'')) { /* ' */ + s_tmp->length--; + s_tmp->ptr[s_tmp->length] = '\0'; + } +-- +2.10.2 + diff --git a/debian/patches/937_lineproc0.patch b/debian/patches/937_lineproc0.patch new file mode 100644 index 0000000..34f5b63 --- /dev/null +++ b/debian/patches/937_lineproc0.patch @@ -0,0 +1,25 @@ +Subject: Prevent negative value of row for pushTable() in HTMLlineproc0() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/67 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=0e66622582db13c4ffeba38067e15efd2d68cd75 + +--- + file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/file.c b/file.c +index 18b350a..6850db1 100644 +--- a/file.c ++++ b/file.c +@@ -6404,6 +6404,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal) + if (obuf->table_level >= 0) { + struct table *tbl0 = tables[obuf->table_level]; + str = Sprintf("", tbl0->ntable)->ptr; ++ if (tbl0->row < 0) ++ continue; + pushTable(tbl0, tbl); + tbl = tbl0; + tbl_mode = &table_mode[obuf->table_level]; +-- +2.10.2 + diff --git a/debian/patches/938_lineproc2body.patch b/debian/patches/938_lineproc2body.patch new file mode 100644 index 0000000..67d39d8 --- /dev/null +++ b/debian/patches/938_lineproc2body.patch @@ -0,0 +1,25 @@ +Subject: Prevent negative array index for marks in HTMLlineproc2body() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/61 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=f34c37f3156d1578a53dccc582c83c88fff76f87 + +--- + file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/file.c b/file.c +index 6850db1..c5aeb88 100644 +--- a/file.c ++++ b/file.c +@@ -5699,7 +5699,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit) + a_href->end.pos = pos; + if (a_href->start.line == a_href->end.line && + a_href->start.pos == a_href->end.pos) { +- if (buf->hmarklist && ++ if (buf->hmarklist && a_href->hseq >= 0 && + a_href->hseq < buf->hmarklist->nmark) + buf->hmarklist->marks[a_href->hseq].invalid = 1; + a_href->hseq = -1; +-- +2.10.2 + diff --git a/debian/patches/939_textarea.patch b/debian/patches/939_textarea.patch new file mode 100644 index 0000000..fc6a011 --- /dev/null +++ b/debian/patches/939_textarea.patch @@ -0,0 +1,25 @@ +Subject: Prevent negative array index in process_textarea() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/58 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d7f55d5959c3e06e9f110f13def7ae9015882e1e + +--- + file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/file.c b/file.c +index c5aeb88..330ae3a 100644 +--- a/file.c ++++ b/file.c +@@ -3995,7 +3995,7 @@ process_textarea(struct parsed_tag *tag, int width) + cur_textarea_size = 20; + if (parsedtag_get_value(tag, ATTR_COLS, &p)) { + cur_textarea_size = atoi(p); +- if (p[strlen(p) - 1] == '%') ++ if (strlen(p) > 0 && p[strlen(p) - 1] == '%') + cur_textarea_size = width * cur_textarea_size / 100 - 2; + if (cur_textarea_size <= 0) { + cur_textarea_size = 20; +-- +2.10.2 + diff --git a/debian/patches/940_tabattr.patch b/debian/patches/940_tabattr.patch new file mode 100644 index 0000000..56c85a8 --- /dev/null +++ b/debian/patches/940_tabattr.patch @@ -0,0 +1,25 @@ +Subject: Prevent array index out of bounds for tabattr in feed_table_tag() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/60 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a6ddc331e90698fa57732bd55f2e8407f3f32f7a + +--- + table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/table.c b/table.c +index c57187a..1a37772 100644 +--- a/table.c ++++ b/table.c +@@ -2593,7 +2593,7 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode, + } + tbl->col++; + check_row(tbl, tbl->row); +- while (tbl->tabattr[tbl->row][tbl->col]) { ++ while (tbl->col < MAXCOL && tbl->tabattr[tbl->row][tbl->col]) { + tbl->col++; + } + if (tbl->col > MAXCOL - 1) { +-- +2.10.2 + diff --git a/debian/patches/941_integeredwidth.patch b/debian/patches/941_integeredwidth.patch new file mode 100644 index 0000000..660c327 --- /dev/null +++ b/debian/patches/941_integeredwidth.patch @@ -0,0 +1,34 @@ +Subject: Prevent negative array index in set_integered_width() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/70 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0 + +--- + table.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/table.c b/table.c +index 1a37772..84e4bf6 100644 +--- a/table.c ++++ b/table.c +@@ -961,7 +961,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth) + for (step = 0; step < 2; step++) { + for (i = 0; i <= t->maxcol; i += n) { + int nn; +- char *idx; ++ short *idx; + double nsum; + if (sum < 0.5) + return; +@@ -982,7 +982,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth) + (double)rulewidth - mod[ii] > 0.5) + fixed[ii] = 1; + } +- idx = NewAtom_N(char, n); ++ idx = NewAtom_N(short, n); + for (k = 0; k < cell->maxcell; k++) { + int kk, w, width, m; + j = cell->index[k]; +-- +2.10.2 + diff --git a/debian/patches/942_tridvalue.patch b/debian/patches/942_tridvalue.patch new file mode 100644 index 0000000..bf8e7f0 --- /dev/null +++ b/debian/patches/942_tridvalue.patch @@ -0,0 +1,28 @@ +Subject: Prevent array index out of bounds for tridvalue in feed_table_tag() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/71 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714 + +--- + table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/table.c b/table.c +index 84e4bf6..1313533 100644 +--- a/table.c ++++ b/table.c +@@ -2567,8 +2567,10 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode, + } + } + #ifdef ID_EXT +- if (parsedtag_get_value(tag, ATTR_ID, &p)) ++ if (parsedtag_get_value(tag, ATTR_ID, &p)) { ++ check_row(tbl, tbl->row); + tbl->tridvalue[tbl->row] = Strnew_charp(p); ++ } + #endif /* ID_EXT */ + tbl->trattr = align | valign; + break; +-- +2.10.2 + diff --git a/debian/patches/943_pushlink.patch b/debian/patches/943_pushlink.patch new file mode 100644 index 0000000..3b24cb4 --- /dev/null +++ b/debian/patches/943_pushlink.patch @@ -0,0 +1,32 @@ +Subject: Prevent negative values for offset and pos in push_link() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/64 +Bug-Debian: https://github.com/tats/w3m/issues/66 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecf57714191b77142da74035b748262cdc80dfb7 + +--- + file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/file.c b/file.c +index 330ae3a..483180a 100644 +--- a/file.c ++++ b/file.c +@@ -2307,8 +2307,12 @@ push_link(int cmd, int offset, int pos) + struct link_stack *p; + p = New(struct link_stack); + p->cmd = cmd; +- p->offset = offset; +- p->pos = pos; ++ p->offset = (short)offset; ++ if (p->offset < 0) ++ p->offset = 0; ++ p->pos = (short)pos; ++ if (p->pos < 0) ++ p->pos = 0; + p->next = link_stack; + link_stack = p; + } +-- +2.10.2 + diff --git a/debian/patches/944_lineproc0.patch b/debian/patches/944_lineproc0.patch new file mode 100644 index 0000000..6cee164 --- /dev/null +++ b/debian/patches/944_lineproc0.patch @@ -0,0 +1,26 @@ +Subject: Prevent heap-use-after-free in HTMLlineproc0() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/65 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=26484fc1381e5ec758db950f2bd17f1496220c92 + +--- + file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/file.c b/file.c +index 483180a..f5ca8d2 100644 +--- a/file.c ++++ b/file.c +@@ -6585,7 +6585,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal) + indent = h_env->envs[h_env->envc].indent; + if (obuf->bp.pos - i > indent) { + Str line; +- append_tags(obuf); ++ append_tags(obuf); /* may reallocate the buffer */ ++ bp = obuf->line->ptr + obuf->bp.len; + line = Strnew_charp(bp); + Strshrink(obuf->line, obuf->line->length - obuf->bp.len); + #ifdef FORMAT_NICE +-- +2.10.2 + diff --git a/debian/patches/945_wtfstrwidth.patch b/debian/patches/945_wtfstrwidth.patch new file mode 100644 index 0000000..36ee878 --- /dev/null +++ b/debian/patches/945_wtfstrwidth.patch @@ -0,0 +1,40 @@ +Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/57 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd + +--- + libwc/wtf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libwc/wtf.c b/libwc/wtf.c +index b8cfdc7..adee338 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -120,8 +120,9 @@ int + wtf_strwidth(wc_uchar *p) + { + int w = 0; ++ wc_uchar *q = p + strlen(p); + +- while (*p) { ++ while (p < q) { + w += wtf_width(p); + p += WTF_LEN_MAP[*p]; + } +@@ -140,9 +141,10 @@ size_t + wtf_len(wc_uchar *p) + { + wc_uchar *q = p; ++ wc_uchar *strz = p + strlen(p); + + q += WTF_LEN_MAP[*q]; +- while (*q && ! WTF_WIDTH_MAP[*q]) ++ while (q < strz && ! WTF_WIDTH_MAP[*q]) + q += WTF_LEN_MAP[*q]; + return q - p; + } +-- +2.10.2 + diff --git a/debian/patches/946_strnewsize.patch b/debian/patches/946_strnewsize.patch new file mode 100644 index 0000000..713ec0c --- /dev/null +++ b/debian/patches/946_strnewsize.patch @@ -0,0 +1,25 @@ +Subject: Prevent heap-buffer-overflow in Strnew_size() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/72 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4381dffaa3fdf94c384f3588b5c7dff3ba1cc4ae + +--- + Str.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Str.c b/Str.c +index 5287c0f..7a094f5 100644 +--- a/Str.c ++++ b/Str.c +@@ -48,6 +48,8 @@ Str + Strnew_size(int n) + { + Str x = GC_MALLOC(sizeof(struct _Str)); ++ if (n < 0) ++ n = 0; + x->ptr = GC_MALLOC_ATOMIC(n + 1); + x->ptr[0] = '\0'; + x->area_size = n + 1; +-- +2.10.2 + diff --git a/debian/patches/947_realcolumn.patch b/debian/patches/947_realcolumn.patch new file mode 100644 index 0000000..152088e --- /dev/null +++ b/debian/patches/947_realcolumn.patch @@ -0,0 +1,25 @@ +Subject: Prevent negative array index for realColumn in calcPosition() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/69 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1978455e2ed01699789e8374d29515b74b867b2b + +--- + etc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/etc.c b/etc.c +index 8fe1215..af8a5d3 100644 +--- a/etc.c ++++ b/etc.c +@@ -498,7 +498,7 @@ calcPosition(char *l, Lineprop *pr, int len, int pos, int bpos, int mode) + static char *prevl = NULL; + int i, j; + +- if (l == NULL || len == 0) ++ if (l == NULL || len == 0 || pos < 0) + return bpos; + if (l == prevl && mode == CP_AUTO) { + if (pos <= len) +-- +2.10.2 + diff --git a/debian/patches/948_getmclen.patch b/debian/patches/948_getmclen.patch new file mode 100644 index 0000000..1504f23 --- /dev/null +++ b/debian/patches/948_getmclen.patch @@ -0,0 +1,76 @@ +Subject: Prevent overflow beyond the end of string in caller of get_mclen() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/59 +Bug-Debian: https://github.com/tats/w3m/issues/73 +Bug-Debian: https://github.com/tats/w3m/issues/74 +Bug-Debian: https://github.com/tats/w3m/issues/75 +Bug-Debian: https://github.com/tats/w3m/issues/76 +Bug-Debian: https://github.com/tats/w3m/issues/78 +Bug-Debian: https://github.com/tats/w3m/issues/79 +Bug-Debian: https://github.com/tats/w3m/issues/80 +Bug-Debian: https://github.com/tats/w3m/issues/83 +Bug-Debian: https://github.com/tats/w3m/issues/84 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775 + +--- + file.c | 2 +- + libwc/wtf.c | 11 ++++++++--- + libwc/wtf.h | 3 +-- + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/file.c b/file.c +index f5ca8d2..4fe8239 100644 +--- a/file.c ++++ b/file.c +@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width) + if (use_image) { + if (n > nw) { + char *r; +- for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) { ++ for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) { + if (n + get_mcwidth(r) > nw) + break; + } +diff --git a/libwc/wtf.c b/libwc/wtf.c +index adee338..e80d990 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p) + return w; + } + +-/* + size_t + wtf_len1(wc_uchar *p) + { +- return (size_t)WTF_LEN_MAP[*p]; ++ size_t len, len_max = WTF_LEN_MAP[*p]; ++ ++ for (len = 0; *(p + len); len++) ++ if (len == len_max) ++ break; ++ if (len == 0) ++ len = 1; ++ return len; + } +-*/ + + size_t + wtf_len(wc_uchar *p) +diff --git a/libwc/wtf.h b/libwc/wtf.h +index ad47973..435526f 100644 +--- a/libwc/wtf.h ++++ b/libwc/wtf.h +@@ -59,8 +59,7 @@ extern void wtf_init(wc_ces ces1, wc_ces ces2); + #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \ + : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0)) + extern int wtf_strwidth(wc_uchar *p); +-/* extern size_t wtf_len1(wc_uchar *p); */ +-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)]) ++extern size_t wtf_len1(wc_uchar *p); + extern size_t wtf_len(wc_uchar *p); + /* extern int wtf_type(wc_uchar *p); */ + #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)] +-- +2.10.2 + diff --git a/debian/patches/949_wtftowcs.patch b/debian/patches/949_wtftowcs.patch new file mode 100644 index 0000000..d53a1f9 --- /dev/null +++ b/debian/patches/949_wtftowcs.patch @@ -0,0 +1,36 @@ +Subject: Prevent overflow beyond the end of string for wtf to wcs macros +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/77 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d + +--- + libwc/wtf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libwc/wtf.c b/libwc/wtf.c +index e80d990..cdc6cbc 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p) + ((p)[3] = (((c) >> 7) & 0x7f) | 0x80), \ + ((p)[4] = ( (c) & 0x7f) | 0x80) + #define wtf_to_wcs16(p) \ ++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \ + ((wc_uint32)((p)[0] & 0x03) << 14) \ + | ((wc_uint32)((p)[1] & 0x7f) << 7) \ +- | ((wc_uint32)((p)[2] & 0x7f) ) ++ | ((wc_uint32)((p)[2] & 0x7f) )) + #define wtf_to_wcs32(p) \ ++ ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \ + ((wc_uint32)((p)[0] & 0x0f) << 28) \ + | ((wc_uint32)((p)[1] & 0x7f) << 21) \ + | ((wc_uint32)((p)[2] & 0x7f) << 14) \ + | ((wc_uint32)((p)[3] & 0x7f) << 7) \ +- | ((wc_uint32)((p)[4] & 0x7f) ) ++ | ((wc_uint32)((p)[4] & 0x7f) )) + + void + wtf_push(Str os, wc_ccs ccs, wc_uint32 code) +-- +2.10.2 + diff --git a/debian/patches/950_textarea.patch b/debian/patches/950_textarea.patch new file mode 100644 index 0000000..1433d75 --- /dev/null +++ b/debian/patches/950_textarea.patch @@ -0,0 +1,27 @@ +Subject: Prevent infinite loop in feed_textarea() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/85 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7a2675b4a5680d44645e72c4ec1258746a6e1b66 + +--- + file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/file.c b/file.c +index 4fe8239..da16a0a 100644 +--- a/file.c ++++ b/file.c +@@ -4076,7 +4076,9 @@ feed_textarea(char *str) + Strcat_charp(textarea_str[n_textarea], "\r\n"); + str++; + } +- else if (*str != '\r') ++ else if (*str == '\r') ++ str++; ++ else + Strcat_char(textarea_str[n_textarea], *(str++)); + } + } +-- +2.10.2 + diff --git a/debian/patches/951_lineproc0.patch b/debian/patches/951_lineproc0.patch new file mode 100644 index 0000000..6585cca --- /dev/null +++ b/debian/patches/951_lineproc0.patch @@ -0,0 +1,25 @@ +Subject: Prevent heap-use-after-free read in HTMLlineproc0() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/81 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=aa2077e06fc11f65ba1773e8f5da83d98057e829 + +--- + file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/file.c b/file.c +index da16a0a..6ecb0a6 100644 +--- a/file.c ++++ b/file.c +@@ -6328,7 +6328,7 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal) + } + if (h_env->tagbuf->length == 0) + continue; +- str = h_env->tagbuf->ptr; ++ str = Strdup(h_env->tagbuf)->ptr; + if (*str == '<') { + if (str[1] && REALLY_THE_BEGINNING_OF_A_TAG(str)) + is_tag = TRUE; +-- +2.10.2 + diff --git a/debian/patches/952_formupdatebuffer.patch b/debian/patches/952_formupdatebuffer.patch new file mode 100644 index 0000000..c5b7444 --- /dev/null +++ b/debian/patches/952_formupdatebuffer.patch @@ -0,0 +1,26 @@ +Subject: Prevent invalid form_update_line() call in formUpdateBuffer() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/82 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf + +--- + form.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/form.c b/form.c +index 1aaaf19..162439a 100644 +--- a/form.c ++++ b/form.c +@@ -490,7 +490,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) + spos = a->start.pos; + epos = a->end.pos; + } +- if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0) ++ if (a->start.line != a->end.line || spos > epos || epos >= l->len || ++ spos < 0 || epos < 0 || COLPOS(l, epos) < col) + break; + pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, + rows > 1, +-- +2.10.2 + diff --git a/debian/patches/953_formupdateline.patch b/debian/patches/953_formupdateline.patch new file mode 100644 index 0000000..77ede43 --- /dev/null +++ b/debian/patches/953_formupdateline.patch @@ -0,0 +1,26 @@ +Subject: Preserve one byte for end of string character in form_update_line() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/68#issuecomment-266214643 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=eb4130a7cd2202de6aeb772b7e4f2a417dbff173 + +--- + form.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/form.c b/form.c +index 162439a..0605513 100644 +--- a/form.c ++++ b/form.c +@@ -320,7 +320,8 @@ form_update_line(Line *line, char **str, int spos, int epos, int width, + pos += width - w; + + len = line->len + pos + spos - epos; +- buf = New_N(char, len); ++ buf = New_N(char, len + 1); ++ buf[len] = '\0'; + prop = New_N(Lineprop, len); + bcopy((void *)line->lineBuf, (void *)buf, spos * sizeof(char)); + bcopy((void *)line->propBuf, (void *)prop, spos * sizeof(Lineprop)); +-- +2.10.2 + diff --git a/debian/patches/954_wtfparse1.patch b/debian/patches/954_wtfparse1.patch new file mode 100644 index 0000000..62b5e91 --- /dev/null +++ b/debian/patches/954_wtfparse1.patch @@ -0,0 +1,84 @@ +Subject: Prevent overflow beyond the end of string in wtf_parse1() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/68 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=00433f4ac2645ac6236ea1892b4a93f26a039a84 + +--- + libwc/wtf.c | 44 ++++++++++++++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 12 deletions(-) + +diff --git a/libwc/wtf.c b/libwc/wtf.c +index cdc6cbc..94d95c1 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -397,7 +397,7 @@ wtf_parse1(wc_uchar **p) + cc.code = *(q++); + } else if (*q > 0xa0) { + cc.ccs = wtf_gr_ccs; +- if (WC_CCS_IS_WIDE(cc.ccs)) { ++ if (WC_CCS_IS_WIDE(cc.ccs) && *(q+1)) { + cc.code = ((wc_uint32)*q << 8) | *(q+1); + q += 2; + } else +@@ -410,27 +410,47 @@ wtf_parse1(wc_uchar **p) + case WC_CCS_A_CS942: + case WC_CCS_A_PCS: + case WC_CCS_A_UNKNOWN: +- cc.ccs |= *(q++) & 0x7f; +- cc.code = *(q++); ++ if (*q && *(q+1)) { ++ cc.ccs |= *(q++) & 0x7f; ++ cc.code = *(q++); ++ } else { ++ cc.ccs = WC_CCS_US_ASCII; ++ cc.code = (wc_uint32)' '; ++ } + break; + case WC_CCS_A_CS94W: + case WC_CCS_A_CS96W: + case WC_CCS_A_PCSW: +- cc.ccs |= *(q++) & 0x7f; +- cc.code = ((wc_uint32)*q << 8) | *(q+1); +- q += 2; ++ if (*q && *(q+1) && *(q+2)) { ++ cc.ccs |= *(q++) & 0x7f; ++ cc.code = ((wc_uint32)*q << 8) | *(q+1); ++ q += 2; ++ } else { ++ cc.ccs = WC_CCS_US_ASCII; ++ cc.code = (wc_uint32)' '; ++ } + break; + case WC_CCS_A_WCS16: + case WC_CCS_A_WCS16W: +- cc.ccs |= (*q & 0x7c) >> 2; +- cc.code = wtf_to_wcs16(q); +- q += 3; ++ if (*q && *(q+1) && *(q+2)) { ++ cc.ccs |= (*q & 0x7c) >> 2; ++ cc.code = wtf_to_wcs16(q); ++ q += 3; ++ } else { ++ cc.ccs = WC_CCS_US_ASCII; ++ cc.code = (wc_uint32)' '; ++ } + break; + case WC_CCS_A_WCS32: + case WC_CCS_A_WCS32W: +- cc.ccs |= (*q & 0x70) >> 4; +- cc.code = wtf_to_wcs32(q); +- q += 5; ++ if (*q && *(q+1) && *(q+2) && *(q+3) && *(q+4)) { ++ cc.ccs |= (*q & 0x70) >> 4; ++ cc.code = wtf_to_wcs32(q); ++ q += 5; ++ } else { ++ cc.ccs = WC_CCS_US_ASCII; ++ cc.code = (wc_uint32)' '; ++ } + break; + default: + /* case 0: */ +-- +2.10.2 + diff --git a/debian/patches/series b/debian/patches/series index d7c9aee..2deaeaf 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -69,3 +69,24 @@ 931_parse-url.patch 932_ucsmap.patch 933_table-level.patch +934_menu.patch +935_shiftanchor.patch +936_metarefresh.patch +937_lineproc0.patch +938_lineproc2body.patch +939_textarea.patch +940_tabattr.patch +941_integeredwidth.patch +942_tridvalue.patch +943_pushlink.patch +944_lineproc0.patch +945_wtfstrwidth.patch +946_strnewsize.patch +947_realcolumn.patch +948_getmclen.patch +949_wtftowcs.patch +950_textarea.patch +951_lineproc0.patch +952_formupdatebuffer.patch +953_formupdateline.patch +954_wtfparse1.patch -- cgit v1.2.3