Skip to content

Commit

Permalink
Prevent global-buffer-overflow write in formUpdateBuffer
Browse files Browse the repository at this point in the history 
Bug-Debian: #29 [CVE-2016-9429]
Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d01de738f599441740437c6600dd5b1ae7155d27
  • Loading branch information
@tats
tats committed Nov 19, 2016
1 parent 77c2c85 commit 7947052
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion form.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
switch (form->type) {
case FORM_INPUT_CHECKBOX:
case FORM_INPUT_RADIO:
if (spos >= buf->currentLine->len || spos < 0)
break;
if (form->checked)
buf->currentLine->lineBuf[spos] = '*';
else
Expand Down Expand Up @@ -487,7 +489,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
spos = a->start.pos;
epos = a->end.pos;
}
if (a->start.line != a->end.line || spos > epos || epos >= l->len)
if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
break;
pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
rows > 1,
Expand Down

0 comments on commit 7947052

Please sign in to comment.