blob: d4e000fbc417fd9d664c3f0fca5f9f5c5df2eaf4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Subject: Prevent dereference near-null pointer in formUpdateBuffer
Author: Tatsuya Kinoshita <tats@debian.org>
Bug-Debian: https://github.com/tats/w3m/issues/35 [CVE-2016-9624]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=e2c7ecec6f9b730ad3c9bf8c8df9212970f183d7
diff --git a/form.c b/form.c
index de7a4d9..1aaaf19 100644
--- a/form.c
+++ b/form.c
@@ -442,7 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
switch (form->type) {
case FORM_INPUT_CHECKBOX:
case FORM_INPUT_RADIO:
- if (spos >= buf->currentLine->len || spos < 0)
+ if (buf->currentLine == NULL ||
+ spos >= buf->currentLine->len || spos < 0)
break;
if (form->checked)
buf->currentLine->lineBuf[spos] = '*';
|
