From ddf28e2cf9e16a559a08ee10ea60d1683b894a16 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Wed, 17 Aug 2016 21:10:30 +0900 Subject: Prevent segfault for formUpdateBuffer Bug-Debian: https://github.com/tats/w3m/issues/13 [CVE-2016-9432] Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=807e8b7fbffca6dcaf5db40e35f05d05c5cf02d3 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7b88478227978a8d673b4dd0e05eee410cc33330 --- form.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/form.c b/form.c index da115fa..779ba2f 100644 --- a/form.c +++ b/form.c @@ -481,8 +481,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form) spos = a->start.pos; epos = a->end.pos; } - if (a->start.line != a->end.line || spos > epos) - epos = spos; + if (a->start.line != a->end.line || spos > epos || epos >= l->len) + break; pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, rows > 1, form->type == FORM_INPUT_PASSWORD); -- cgit v1.2.3