blob: 10e94e3278d4d15ec2e9602eb3cbdaab41c66292 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
Subject: Prevent invalid columnPos() call in formUpdateBuffer()
From: Tatsuya Kinoshita <tats@debian.org>
Bug-Debian: https://github.com/tats/w3m/issues/89 [CVE-2018-6197]
Origin: https://salsa.debian.org/debian/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8
Index: w3m-0.5.3/form.c
===================================================================
--- w3m-0.5.3.orig/form.c 2020-04-29 13:52:58.629142811 +0200
+++ w3m-0.5.3/form.c 2020-04-29 13:52:58.621142209 +0200
@@ -483,6 +483,8 @@
rows = form->rows ? form->rows : 1;
col = COLPOS(l, a->start.pos);
for (c_rows = 0; c_rows < rows; c_rows++, l = l->next) {
+ if (l == NULL)
+ break;
if (rows > 1) {
pos = columnPos(l, col);
a = retrieveAnchor(buf->formitem, l->linenumber, pos);
|
