From d65e12bdf571d1ea3333c30514d737e6563ebc61 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Mon, 21 Nov 2016 23:25:20 +0900 Subject: New patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426] --- debian/patches/913_tabwidth.patch | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 debian/patches/913_tabwidth.patch (limited to 'debian/patches/913_tabwidth.patch') diff --git a/debian/patches/913_tabwidth.patch b/debian/patches/913_tabwidth.patch new file mode 100644 index 0000000..450df24 --- /dev/null +++ b/debian/patches/913_tabwidth.patch @@ -0,0 +1,20 @@ +Subject: Truncate max_width for renderTable +Author: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/25 [CVE-2016-9426] +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=b910f0966d9efea93ea8cef491000a83ffb49c5e + +diff --git a/table.c b/table.c +index deeab0a..a54ea01 100644 +--- a/table.c ++++ b/table.c +@@ -1724,6 +1724,10 @@ renderTable(struct table *t, int max_width, struct html_feed_environ *h_env) + if (max_width < rulewidth) + max_width = rulewidth; + ++#define MAX_TABWIDTH 10000 ++ if (max_width > MAX_TABWIDTH) ++ max_width = MAX_TABWIDTH; ++ + check_maximum_width(t); + + #ifdef MATRIX -- cgit v1.2.3