From d73f74e2cb70297d1373d7fa8921881106dc0b58 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Fri, 6 Jan 2017 23:18:40 +0900 Subject: Fix multiple vulnerabilities (closes: #850432) - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68) --- debian/patches/945_wtfstrwidth.patch | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 debian/patches/945_wtfstrwidth.patch (limited to 'debian/patches/945_wtfstrwidth.patch') diff --git a/debian/patches/945_wtfstrwidth.patch b/debian/patches/945_wtfstrwidth.patch new file mode 100644 index 0000000..36ee878 --- /dev/null +++ b/debian/patches/945_wtfstrwidth.patch @@ -0,0 +1,40 @@ +Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/57 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd + +--- + libwc/wtf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libwc/wtf.c b/libwc/wtf.c +index b8cfdc7..adee338 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -120,8 +120,9 @@ int + wtf_strwidth(wc_uchar *p) + { + int w = 0; ++ wc_uchar *q = p + strlen(p); + +- while (*p) { ++ while (p < q) { + w += wtf_width(p); + p += WTF_LEN_MAP[*p]; + } +@@ -140,9 +141,10 @@ size_t + wtf_len(wc_uchar *p) + { + wc_uchar *q = p; ++ wc_uchar *strz = p + strlen(p); + + q += WTF_LEN_MAP[*q]; +- while (*q && ! WTF_WIDTH_MAP[*q]) ++ while (q < strz && ! WTF_WIDTH_MAP[*q]) + q += WTF_LEN_MAP[*q]; + return q - p; + } +-- +2.10.2 + -- cgit v1.2.3