From d65e12bdf571d1ea3333c30514d737e6563ebc61 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Mon, 21 Nov 2016 23:25:20 +0900
Subject: New patch 913_tabwidth.patch to fix heap corruption [CVE-2016-9426]

---
 debian/patches/913_tabwidth.patch | 20 ++++++++++++++++++++
 debian/patches/series             |  1 +
 2 files changed, 21 insertions(+)
 create mode 100644 debian/patches/913_tabwidth.patch

(limited to 'debian/patches')

diff --git a/debian/patches/913_tabwidth.patch b/debian/patches/913_tabwidth.patch
new file mode 100644
index 0000000..450df24
--- /dev/null
+++ b/debian/patches/913_tabwidth.patch
@@ -0,0 +1,20 @@
+Subject: Truncate max_width for renderTable
+Author: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/25 [CVE-2016-9426]
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=b910f0966d9efea93ea8cef491000a83ffb49c5e
+
+diff --git a/table.c b/table.c
+index deeab0a..a54ea01 100644
+--- a/table.c
++++ b/table.c
+@@ -1724,6 +1724,10 @@ renderTable(struct table *t, int max_width, struct html_feed_environ *h_env)
+     if (max_width < rulewidth)
+ 	max_width = rulewidth;
+ 
++#define MAX_TABWIDTH 10000
++    if (max_width > MAX_TABWIDTH)
++	max_width = MAX_TABWIDTH;
++
+     check_maximum_width(t);
+ 
+ #ifdef MATRIX
diff --git a/debian/patches/series b/debian/patches/series
index 6654637..9404dea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -48,3 +48,4 @@
 910_input-alt.patch
 911_rowcolspan.patch
 912_i-dd.patch
+913_tabwidth.patch
-- 
cgit v1.2.3