components/web/w3m/patches/905_textarea.patch

   1 Subject: Prevent negative array index for selectnumber and textareanumber
   2 Author: Tatsuya Kinoshita <tats@debian.org>
   3 Bug-Debian: https://github.com/tats/w3m/issues/12 [CVE-2016-9424]
   4 Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a25fd09f74fb83499396935a96d63bb7cb8e2c58
   5
   6 diff --git a/file.c b/file.c
   7 index d06b2cf..4056393 100644
   8 --- a/file.c
   9 +++ b/file.c
  10 @@ -67,7 +67,7 @@ static int cur_status;
  11  #ifdef MENU_SELECT
  12  /* menu based <select>  */
  13  FormSelectOption *select_option;
  14 -static int max_select = MAX_SELECT;
  15 +int max_select = MAX_SELECT;
  16  static int n_select;
  17  static int cur_option_maxwidth;
  18  #endif                         /* MENU_SELECT */
  19 @@ -79,7 +79,7 @@ static int cur_textarea_rows;
  20  static int cur_textarea_readonly;
  21  static int n_textarea;
  22  static int ignore_nl_textarea;
  23 -static int max_textarea = MAX_TEXTAREA;
  24 +int max_textarea = MAX_TEXTAREA;
  25
  26  static int http_response_code;
  27
  28 @@ -5986,7 +5986,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
  29                 case HTML_TEXTAREA_INT:
  30                     if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
  31                                             &n_textarea)
  32 -                       && n_textarea < max_textarea) {
  33 +                       && n_textarea >= 0 && n_textarea < max_textarea) {
  34                         textarea_str[n_textarea] = Strnew();
  35                     }
  36                     else
  37 @@ -6003,7 +6003,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
  38  #ifdef MENU_SELECT
  39                 case HTML_SELECT_INT:
  40                     if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
  41 -                       && n_select < max_select) {
  42 +                       && n_select >= 0 && n_select < max_select) {
  43                         select_option[n_select].first = NULL;
  44                         select_option[n_select].last = NULL;
  45                     }
  46 diff --git a/form.c b/form.c
  47 index 87a5d49..da115fa 100644
  48 --- a/form.c
  49 +++ b/form.c
  50 @@ -10,8 +10,10 @@
  51  #include "regex.h"
  52
  53  extern Str *textarea_str;
  54 +extern int max_textarea;
  55  #ifdef MENU_SELECT
  56  extern FormSelectOption *select_option;
  57 +extern int max_select;
  58  #include "menu.h"
  59  #endif                         /* MENU_SELECT */
  60
  61 @@ -122,10 +124,12 @@ formList_addInput(struct form_list *fl, struct parsed_tag *tag)
  62      parsedtag_get_value(tag, ATTR_SIZE, &item->size);
  63      parsedtag_get_value(tag, ATTR_MAXLENGTH, &item->maxlength);
  64      item->readonly = parsedtag_exists(tag, ATTR_READONLY);
  65 -    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i))
  66 +    if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER, &i)
  67 +       && i >= 0 && i < max_textarea)
  68         item->value = item->init_value = textarea_str[i];
  69  #ifdef MENU_SELECT
  70 -    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i))
  71 +    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &i)
  72 +       && i >= 0 && i < max_select)
  73         item->select_option = select_option[i].first;
  74  #endif                         /* MENU_SELECT */
  75      if (parsedtag_get_value(tag, ATTR_ROWS, &p))