From 26484fc1381e5ec758db950f2bd17f1496220c92 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Wed, 7 Dec 2016 22:09:06 +0900
Subject: Prevent heap-use-after-free in HTMLlineproc0()

Bug-Debian: https://github.com/tats/w3m/issues/65
---
 file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'file.c')

diff --git a/file.c b/file.c
index 35034ce..7d227da 100644
--- a/file.c
+++ b/file.c
@@ -6618,7 +6618,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
 		indent = h_env->envs[h_env->envc].indent;
 		if (obuf->bp.pos - i > indent) {
 		    Str line;
-		    append_tags(obuf);
+		    append_tags(obuf);	/* may reallocate the buffer */
+		    bp = obuf->line->ptr + obuf->bp.len;
 		    line = Strnew_charp(bp);
 		    Strshrink(obuf->line, obuf->line->length - obuf->bp.len);
 #ifdef FORMAT_NICE
-- 
cgit v1.2.3