From d73f74e2cb70297d1373d7fa8921881106dc0b58 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Fri, 6 Jan 2017 23:18:40 +0900 Subject: Fix multiple vulnerabilities (closes: #850432) - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49) - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62) - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63) - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67) - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61) - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58) - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60) - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70) - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71) - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66) - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65) - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57) - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72) - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69) - New patch 948_getmclen.patch to fix buffer overflow (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84) - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77) - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85) - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81) - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82) - New patch 953_formupdateline.patch to fix buffer overflow (tats/w3m#68#issuecomment-266214643) - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68) --- debian/patches/948_getmclen.patch | 76 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 debian/patches/948_getmclen.patch (limited to 'debian/patches/948_getmclen.patch') diff --git a/debian/patches/948_getmclen.patch b/debian/patches/948_getmclen.patch new file mode 100644 index 0000000..1504f23 --- /dev/null +++ b/debian/patches/948_getmclen.patch @@ -0,0 +1,76 @@ +Subject: Prevent overflow beyond the end of string in caller of get_mclen() +From: Tatsuya Kinoshita +Bug-Debian: https://github.com/tats/w3m/issues/59 +Bug-Debian: https://github.com/tats/w3m/issues/73 +Bug-Debian: https://github.com/tats/w3m/issues/74 +Bug-Debian: https://github.com/tats/w3m/issues/75 +Bug-Debian: https://github.com/tats/w3m/issues/76 +Bug-Debian: https://github.com/tats/w3m/issues/78 +Bug-Debian: https://github.com/tats/w3m/issues/79 +Bug-Debian: https://github.com/tats/w3m/issues/80 +Bug-Debian: https://github.com/tats/w3m/issues/83 +Bug-Debian: https://github.com/tats/w3m/issues/84 +Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775 + +--- + file.c | 2 +- + libwc/wtf.c | 11 ++++++++--- + libwc/wtf.h | 3 +-- + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/file.c b/file.c +index f5ca8d2..4fe8239 100644 +--- a/file.c ++++ b/file.c +@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width) + if (use_image) { + if (n > nw) { + char *r; +- for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) { ++ for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) { + if (n + get_mcwidth(r) > nw) + break; + } +diff --git a/libwc/wtf.c b/libwc/wtf.c +index adee338..e80d990 100644 +--- a/libwc/wtf.c ++++ b/libwc/wtf.c +@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p) + return w; + } + +-/* + size_t + wtf_len1(wc_uchar *p) + { +- return (size_t)WTF_LEN_MAP[*p]; ++ size_t len, len_max = WTF_LEN_MAP[*p]; ++ ++ for (len = 0; *(p + len); len++) ++ if (len == len_max) ++ break; ++ if (len == 0) ++ len = 1; ++ return len; + } +-*/ + + size_t + wtf_len(wc_uchar *p) +diff --git a/libwc/wtf.h b/libwc/wtf.h +index ad47973..435526f 100644 +--- a/libwc/wtf.h ++++ b/libwc/wtf.h +@@ -59,8 +59,7 @@ extern void wtf_init(wc_ces ces1, wc_ces ces2); + #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \ + : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0)) + extern int wtf_strwidth(wc_uchar *p); +-/* extern size_t wtf_len1(wc_uchar *p); */ +-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)]) ++extern size_t wtf_len1(wc_uchar *p); + extern size_t wtf_len(wc_uchar *p); + /* extern int wtf_type(wc_uchar *p); */ + #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)] +-- +2.10.2 + -- cgit v1.2.3