From 0a04bf8a1cb3868ace621b092d26cefdeb5ec359 Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Tue, 15 Nov 2016 20:11:52 +0900
Subject: Prevent infinite recursion with nested table and textarea

Bug-Debian: https://github.com/tats/w3m/issues/20 [CVE-2016-9439]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=2a4a2fb9f116b50e7c80d573db06c0fdc6c69272
---
 table.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'table.c')

diff --git a/table.c b/table.c
index 022effe..8cd79e3 100644
--- a/table.c
+++ b/table.c
@@ -1624,6 +1624,15 @@ get_table_width(struct table *t, short *orgwidth, short *cellwidth, int flag)
 #define fixed_table_width(t)\
   (get_table_width(t,t->fixed_width,t->cell.fixed_width,CHECK_MINIMUM))
 
+#define MAX_COTABLE_LEVEL 100
+static int cotable_level;
+
+void
+initRenderTable(void)
+{
+    cotable_level = 0;
+}
+
 void
 renderCoTable(struct table *tbl, int maxlimit)
 {
@@ -1634,6 +1643,10 @@ renderCoTable(struct table *tbl, int maxlimit)
     int i, col, row;
     int indent, maxwidth;
 
+    if (cotable_level >= MAX_COTABLE_LEVEL)
+	return;	/* workaround to prevent infinite recursion */
+    cotable_level++;
+
     for (i = 0; i < tbl->ntable; i++) {
 	t = tbl->tables[i].ptr;
 	col = tbl->tables[i].col;
-- 
cgit v1.2.3