From 9d6b147df996ae28128d54e8a9dc92c4714b87d8 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Mon, 21 Nov 2016 23:43:14 +0900
Subject: New patch 917_strgrow.patch to fix potential heap buffer corruption

[CVE-2016-9442]
---
 debian/patches/917_strgrow.patch | 20 ++++++++++++++++++++
 debian/patches/series            |  1 +
 2 files changed, 21 insertions(+)
 create mode 100644 debian/patches/917_strgrow.patch

(limited to 'debian/patches')

diff --git a/debian/patches/917_strgrow.patch b/debian/patches/917_strgrow.patch
new file mode 100644
index 0000000..ac646dc
--- /dev/null
+++ b/debian/patches/917_strgrow.patch
@@ -0,0 +1,20 @@
+Subject: Fix potential heap buffer corruption due to Strgrow
+Author: Kuang-che Wu <kcwu@google.com>
+Bug-Debian: https://github.com/tats/w3m/pull/27 [CVE-2016-9442]
+Origin: https://github.com/tats/w3m/pull/27/commits/c95a43dc92695464be11c8a51811aaa9761546e6
+
+diff --git a/Str.c b/Str.c
+index eff82a4..5287c0f 100644
+--- a/Str.c
++++ b/Str.c
+@@ -232,8 +232,8 @@ Strgrow(Str x)
+ {
+     char *old = x->ptr;
+     int newlen;
+-    newlen = x->length * 6 / 5;
+-    if (newlen == x->length)
++    newlen = x->area_size * 6 / 5;
++    if (newlen == x->area_size)
+ 	newlen += 2;
+     x->ptr = GC_MALLOC_ATOMIC(newlen);
+     x->area_size = newlen;
diff --git a/debian/patches/series b/debian/patches/series
index 2720145..223af6d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@
 914_curline.patch
 915_table-alt.patch
 916_anchor.patch
+917_strgrow.patch
-- 
cgit v1.2.3