heap out of bound write due to negative array index

[kcwu]

How to reproduce:

$ echo -e '<table><b<>\x00<listing><select_int selectnumber=90000000000>' | ./w3m -T text/html -dump > /dev/null
Segmentation fault
$ echo -e '<table><b<>\x00<listing><select_int selectnumber=-90000>' | ./w3m -T text/html -dump > /dev/null
Segmentation fault

Here, selectnumber could be negative, or positive but overflows to negative.

The corresponding code snippet:

6033    if (parsedtag_get_value(tag, ATTR_SELECTNUMBER, &n_select)
6034        && n_select < max_select) {
6035        select_option[n_select].first = NULL;

n_select is the selectnumber mentioned above. It will crash at line 6035.

Similar code pattern at line 6015:

                      if (parsedtag_get_value(tag, ATTR_TEXTAREANUMBER,
                                              &n_textarea)
                          && n_textarea < max_textarea) {
                          textarea_str[n_textarea] = Strnew();

this is found by afl-fuzz

[tats]

Fixed, thank you.