storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent global-buffer-overflow write in formUpdateBuffer

Browse Source 
Bug-Debian: https://github.com/tats/w3m/issues/29
This commit is contained in:
Tatsuya Kinoshita
2016-10-08 07:06:12 +09:00
parent ec9eb22e00
commit d01de738f5
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
form.c
View File

@@ -442,6 +442,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
switch (form->type) { switch (form->type) {
case FORM_INPUT_CHECKBOX: case FORM_INPUT_CHECKBOX:
case FORM_INPUT_RADIO: case FORM_INPUT_RADIO:
if (spos >= buf->currentLine->len || spos < 0)
break;
if (form->checked) if (form->checked)
buf->currentLine->lineBuf[spos] = '*'; buf->currentLine->lineBuf[spos] = '*';
else else
@@ -485,7 +487,7 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
spos = a->start.pos; spos = a->start.pos;
epos = a->end.pos; epos = a->end.pos;
} }
if (a->start.line != a->end.line || spos > epos || epos >= l->len) if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
break; break;
pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col, pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
rows > 1, rows > 1,