From bde3a3e9a0b10a9274a837ea09296400cdd513c9 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Wed, 17 Aug 2016 19:47:19 +0900
Subject: Prevent negative array index for selectnumber and textareanumber

Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
---
 form.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'form.c')

diff --git a/form.c b/form.c
index 87a5d49..da115fa 100644
--- a/form.c
+++ b/form.c
@@ -10,8 +10,10 @@
 #include "regex.h"
 
 extern Str *textarea_str;
+extern int max_textarea;
 #ifdef MENU_SELECT
 extern FormSelectOption *select_option;
+extern int max_select;
 #include "menu.h"
 #endif				/* MENU_SELECT */
 
@@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
     parsedtag_get_value(tag, ATTR_SIZE, &item->size);
     parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
     item->readonly = parsedtag_exists(tag, ATTR_READONLY);
-    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
+    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
+	&& i >= 0 && i < max_textarea)
 	item->value = item->init_value = textarea_str[i];
 #ifdef MENU_SELECT
-    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
+    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
+	&& i >= 0 && i < max_select)
 	item->select_option = select_option[i].first;
 #endif				/* MENU_SELECT */
     if (parsedtag_get_value(tag, ATTR_ROWS, &p))
-- 
cgit v1.2.3