[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#850440: marked as done (jessie-pu: package w3m/0.5.3-19+deb8u2)

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.camel@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #850440,
regarding jessie-pu: package w3m/0.5.3-19+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
850440: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850440
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi, the release team,

I'd like to update package w3m in jessie to fix additional security
issues to 0.5.3-19+deb8u1, mentioned in <https://bugs.debian.org/850432>.

See this changelog and the attached debdiff.

w3m (0.5.3-19+deb8u2) jessie; urgency=medium

  * Fix multiple vulnerabilities (closes: #850432)
    - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
    - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
    - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
    - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
    - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
    - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
    - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
    - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
    - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
    - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
    - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
    - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
    - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
    - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
    - New patch 948_getmclen.patch to fix buffer overflow
      (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
    - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
    - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
    - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
    - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
    - New patch 953_formupdateline.patch to fix buffer overflow
      (tats/w3m#68#issuecomment-266214643)
    - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)

 -- Tatsuya Kinoshita <tats@debian.org>  Fri, 06 Jan 2017 23:21:55 +0900

Please let me know if I can upload it.

Thanks,
--
Tatsuya Kinoshita

diffstat for w3m-0.5.3 w3m-0.5.3

 changelog                          |   29 ++++++++++++
 patches/934_menu.patch             |   25 +++++++++++
 patches/935_shiftanchor.patch      |   26 +++++++++++
 patches/936_metarefresh.patch      |   28 ++++++++++++
 patches/937_lineproc0.patch        |   25 +++++++++++
 patches/938_lineproc2body.patch    |   25 +++++++++++
 patches/939_textarea.patch         |   25 +++++++++++
 patches/940_tabattr.patch          |   25 +++++++++++
 patches/941_integeredwidth.patch   |   34 ++++++++++++++
 patches/942_tridvalue.patch        |   28 ++++++++++++
 patches/943_pushlink.patch         |   32 ++++++++++++++
 patches/944_lineproc0.patch        |   26 +++++++++++
 patches/945_wtfstrwidth.patch      |   40 +++++++++++++++++
 patches/946_strnewsize.patch       |   25 +++++++++++
 patches/947_realcolumn.patch       |   25 +++++++++++
 patches/948_getmclen.patch         |   76 +++++++++++++++++++++++++++++++++
 patches/949_wtftowcs.patch         |   36 +++++++++++++++
 patches/950_textarea.patch         |   27 +++++++++++
 patches/951_lineproc0.patch        |   25 +++++++++++
 patches/952_formupdatebuffer.patch |   26 +++++++++++
 patches/953_formupdateline.patch   |   26 +++++++++++
 patches/954_wtfparse1.patch        |   84 +++++++++++++++++++++++++++++++++++++
 patches/series                     |   21 +++++++++
 23 files changed, 739 insertions(+)

diff -Nru w3m-0.5.3/debian/changelog w3m-0.5.3/debian/changelog
--- w3m-0.5.3/debian/changelog	2016-11-24 19:49:18.000000000 +0900
+++ w3m-0.5.3/debian/changelog	2017-01-06 23:21:55.000000000 +0900
@@ -1,3 +1,32 @@
+w3m (0.5.3-19+deb8u2) jessie; urgency=medium
+
+  * Fix multiple vulnerabilities (closes: #850432)
+    - New patch 934_menu.patch to fix buffer overflow (tats/w3m#49)
+    - New patch 935_shiftanchor.patch to fix buffer overflow (tats/w3m#62)
+    - New patch 936_metarefresh.patch to fix buffer overflow (tats/w3m#63)
+    - New patch 937_lineproc0.patch to fix buffer overflow (tats/w3m#67)
+    - New patch 938_lineproc2body.patch to fix buffer overflow (tats/w3m#61)
+    - New patch 939_textarea.patch to fix buffer overflow (tats/w3m#58)
+    - New patch 940_tabattr.patch to fix buffer overflow (tats/w3m#60)
+    - New patch 941_integeredwidth.patch to fix buffer overflow (tats/w3m#70)
+    - New patch 942_tridvalue.patch to fix buffer overflow (tats/w3m#71)
+    - New patch 943_pushlink.patch to fix buffer overflow (tats/w3m#64, #66)
+    - New patch 944_lineproc0.patch to fix use after free (tats/w3m#65)
+    - New patch 945_wtfstrwidth.patch to fix buffer overflow (tats/w3m#57)
+    - New patch 946_strnewsize.patch to fix buffer overflow (tats/w3m#72)
+    - New patch 947_realcolumn.patch to fix buffer overflow (tats/w3m#69)
+    - New patch 948_getmclen.patch to fix buffer overflow
+      (tats/w3m#59, #73, #74, #75, #76, #78, #79, #80, #83, #84)
+    - New patch 949_wtftowcs.patch to fix buffer overflow (tats/w3m#77)
+    - New patch 950_textarea.patch to fix infinite loop (tats/w3m#85)
+    - New patch 951_lineproc0.patch to fix use after free (tats/w3m#81)
+    - New patch 952_formupdatebuffer.patch to fix buffer overflow (tats/w3m#82)
+    - New patch 953_formupdateline.patch to fix buffer overflow
+      (tats/w3m#68#issuecomment-266214643)
+    - New patch 954_wtfparse1.patch to fix buffer overflow (tats/w3m#68)
+
+ -- Tatsuya Kinoshita <tats@debian.org>  Fri, 06 Jan 2017 23:21:55 +0900
+
 w3m (0.5.3-19+deb8u1) jessie; urgency=medium
 
   * New patch 901_ucsmap.patch to fix array index (closes: #820162)
diff -Nru w3m-0.5.3/debian/patches/934_menu.patch w3m-0.5.3/debian/patches/934_menu.patch
--- w3m-0.5.3/debian/patches/934_menu.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/934_menu.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Fix menu buffer-overflow
+From: Kuang-che Wu <kcwu@google.com>
+Bug-Debian: https://github.com/tats/w3m/pull/49
+Origin: https://github.com/tats/w3m/pull/49/commits/7e1c05dd90cf42a308e854881ea3813aed000d2e
+
+---
+ menu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/menu.c b/menu.c
+index 0f66583..6c5fee0 100644
+--- a/menu.c
++++ b/menu.c
+@@ -1692,7 +1692,7 @@ initMenu(void)
+     FILE *mf;
+     MenuList *list;
+ 
+-    w3mMenuList = New_N(MenuList, 3);
++    w3mMenuList = New_N(MenuList, 4);
+     w3mMenuList[0].id = "Main";
+     w3mMenuList[0].menu = &MainMenu;
+     w3mMenuList[0].item = MainMenuItem;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/935_shiftanchor.patch w3m-0.5.3/debian/patches/935_shiftanchor.patch
--- w3m-0.5.3/debian/patches/935_shiftanchor.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/935_shiftanchor.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,26 @@
+Subject: Prevent negative array index for marks in shiftAnchorPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/62
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d57c13282afc6b7dca029f992331b7afa0413356
+
+---
+ anchor.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/anchor.c b/anchor.c
+index ecb211d..bed8db2 100644
+--- a/anchor.c
++++ b/anchor.c
+@@ -551,7 +551,8 @@ shiftAnchorPosition(AnchorList *al, HmarkerList *hl, int line, int pos,
+ 	    break;
+ 	if (a->start.pos > pos) {
+ 	    a->start.pos += shift;
+-	    if (hl && hl->marks && hl->marks[a->hseq].line == line)
++	    if (hl && hl->marks &&
++		a->hseq >= 0 && hl->marks[a->hseq].line == line)
+ 		hl->marks[a->hseq].pos = a->start.pos;
+ 	}
+ 	if (a->end.pos >= pos)
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/936_metarefresh.patch w3m-0.5.3/debian/patches/936_metarefresh.patch
--- w3m-0.5.3/debian/patches/936_metarefresh.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/936_metarefresh.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,28 @@
+Subject: Prevent negative array index in getMetaRefreshParam()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/63
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6c6a2cbced21ceec2fac08fba1ad271a77f9dbc2
+
+---
+ file.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index e82eaf1..18b350a 100644
+--- a/file.c
++++ b/file.c
+@@ -4361,8 +4361,9 @@ getMetaRefreshParam(char *q, Str *refresh_uri)
+ 		r++;
+ 	    s_tmp = Strnew_charp_n(q, r - q);
+ 
+-	    if (s_tmp->ptr[s_tmp->length - 1] == '\"'          /* " */
+-	       || s_tmp->ptr[s_tmp->length - 1] == '\'') {     /* ' */
++	    if (s_tmp->length > 0 &&
++	        (s_tmp->ptr[s_tmp->length - 1] == '\"' ||	/* " */
++		 s_tmp->ptr[s_tmp->length - 1] == '\'')) {	/* ' */
+ 		s_tmp->length--;
+ 		s_tmp->ptr[s_tmp->length] = '\0';
+ 	    }
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/937_lineproc0.patch w3m-0.5.3/debian/patches/937_lineproc0.patch
--- w3m-0.5.3/debian/patches/937_lineproc0.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/937_lineproc0.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent negative value of row for pushTable() in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/67
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=0e66622582db13c4ffeba38067e15efd2d68cd75
+
+---
+ file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/file.c b/file.c
+index 18b350a..6850db1 100644
+--- a/file.c
++++ b/file.c
+@@ -6404,6 +6404,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 		if (obuf->table_level >= 0) {
+ 		    struct table *tbl0 = tables[obuf->table_level];
+ 		    str = Sprintf("<table_alt tid=%d>", tbl0->ntable)->ptr;
++		    if (tbl0->row < 0)
++			continue;
+ 		    pushTable(tbl0, tbl);
+ 		    tbl = tbl0;
+ 		    tbl_mode = &table_mode[obuf->table_level];
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/938_lineproc2body.patch w3m-0.5.3/debian/patches/938_lineproc2body.patch
--- w3m-0.5.3/debian/patches/938_lineproc2body.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/938_lineproc2body.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for marks in HTMLlineproc2body()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/61
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=f34c37f3156d1578a53dccc582c83c88fff76f87
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 6850db1..c5aeb88 100644
+--- a/file.c
++++ b/file.c
+@@ -5699,7 +5699,7 @@ HTMLlineproc2body(Buffer *buf, Str (*feed) (), int llimit)
+ 			a_href->end.pos = pos;
+ 			if (a_href->start.line == a_href->end.line &&
+ 			    a_href->start.pos == a_href->end.pos) {
+-			    if (buf->hmarklist &&
++			    if (buf->hmarklist && a_href->hseq >= 0 &&
+ 				a_href->hseq < buf->hmarklist->nmark)
+ 				buf->hmarklist->marks[a_href->hseq].invalid = 1;
+ 			    a_href->hseq = -1;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/939_textarea.patch w3m-0.5.3/debian/patches/939_textarea.patch
--- w3m-0.5.3/debian/patches/939_textarea.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/939_textarea.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index in process_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/58
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=d7f55d5959c3e06e9f110f13def7ae9015882e1e
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index c5aeb88..330ae3a 100644
+--- a/file.c
++++ b/file.c
+@@ -3995,7 +3995,7 @@ process_textarea(struct parsed_tag *tag, int width)
+     cur_textarea_size = 20;
+     if (parsedtag_get_value(tag, ATTR_COLS, &p)) {
+ 	cur_textarea_size = atoi(p);
+-	if (p[strlen(p) - 1] == '%')
++	if (strlen(p) > 0 && p[strlen(p) - 1] == '%')
+ 	    cur_textarea_size = width * cur_textarea_size / 100 - 2;
+ 	if (cur_textarea_size <= 0) {
+ 	    cur_textarea_size = 20;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/940_tabattr.patch w3m-0.5.3/debian/patches/940_tabattr.patch
--- w3m-0.5.3/debian/patches/940_tabattr.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/940_tabattr.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent array index out of bounds for tabattr in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/60
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a6ddc331e90698fa57732bd55f2e8407f3f32f7a
+
+---
+ table.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index c57187a..1a37772 100644
+--- a/table.c
++++ b/table.c
+@@ -2593,7 +2593,7 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ 	}
+ 	tbl->col++;
+ 	check_row(tbl, tbl->row);
+-	while (tbl->tabattr[tbl->row][tbl->col]) {
++	while (tbl->col < MAXCOL && tbl->tabattr[tbl->row][tbl->col]) {
+ 	    tbl->col++;
+ 	}
+ 	if (tbl->col > MAXCOL - 1) {
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/941_integeredwidth.patch w3m-0.5.3/debian/patches/941_integeredwidth.patch
--- w3m-0.5.3/debian/patches/941_integeredwidth.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/941_integeredwidth.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,34 @@
+Subject: Prevent negative array index in set_integered_width()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/70
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a3ed914b0cfc3750e0eb57bb21e2ec6f86ca94f0
+
+---
+ table.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/table.c b/table.c
+index 1a37772..84e4bf6 100644
+--- a/table.c
++++ b/table.c
+@@ -961,7 +961,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+     for (step = 0; step < 2; step++) {
+ 	for (i = 0; i <= t->maxcol; i += n) {
+ 	    int nn;
+-	    char *idx;
++	    short *idx;
+ 	    double nsum;
+ 	    if (sum < 0.5)
+ 		return;
+@@ -982,7 +982,7 @@ set_integered_width(struct table *t, double *dwidth, short *iwidth)
+ 		    (double)rulewidth - mod[ii] > 0.5)
+ 		    fixed[ii] = 1;
+ 	    }
+-	    idx = NewAtom_N(char, n);
++	    idx = NewAtom_N(short, n);
+ 	    for (k = 0; k < cell->maxcell; k++) {
+ 		int kk, w, width, m;
+ 		j = cell->index[k];
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/942_tridvalue.patch w3m-0.5.3/debian/patches/942_tridvalue.patch
--- w3m-0.5.3/debian/patches/942_tridvalue.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/942_tridvalue.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,28 @@
+Subject: Prevent array index out of bounds for tridvalue in feed_table_tag()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/71
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=30b0c971676e229dabd2715c200f76bcfe27a714
+
+---
+ table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/table.c b/table.c
+index 84e4bf6..1313533 100644
+--- a/table.c
++++ b/table.c
+@@ -2567,8 +2567,10 @@ feed_table_tag(struct table *tbl, char *line, struct table_mode *mode,
+ 	    }
+ 	}
+ #ifdef ID_EXT
+-	if (parsedtag_get_value(tag, ATTR_ID, &p))
++	if (parsedtag_get_value(tag, ATTR_ID, &p)) {
++	    check_row(tbl, tbl->row);
+ 	    tbl->tridvalue[tbl->row] = Strnew_charp(p);
++	}
+ #endif				/* ID_EXT */
+ 	tbl->trattr = align | valign;
+ 	break;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/943_pushlink.patch w3m-0.5.3/debian/patches/943_pushlink.patch
--- w3m-0.5.3/debian/patches/943_pushlink.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/943_pushlink.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,32 @@
+Subject: Prevent negative values for offset and pos in push_link()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/64
+Bug-Debian: https://github.com/tats/w3m/issues/66
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=ecf57714191b77142da74035b748262cdc80dfb7
+
+---
+ file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/file.c b/file.c
+index 330ae3a..483180a 100644
+--- a/file.c
++++ b/file.c
+@@ -2307,8 +2307,12 @@ push_link(int cmd, int offset, int pos)
+     struct link_stack *p;
+     p = New(struct link_stack);
+     p->cmd = cmd;
+-    p->offset = offset;
+-    p->pos = pos;
++    p->offset = (short)offset;
++    if (p->offset < 0)
++	p->offset = 0;
++    p->pos = (short)pos;
++    if (p->pos < 0)
++	p->pos = 0;
+     p->next = link_stack;
+     link_stack = p;
+ }
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/944_lineproc0.patch w3m-0.5.3/debian/patches/944_lineproc0.patch
--- w3m-0.5.3/debian/patches/944_lineproc0.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/944_lineproc0.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,26 @@
+Subject: Prevent heap-use-after-free in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/65
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=26484fc1381e5ec758db950f2bd17f1496220c92
+
+---
+ file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 483180a..f5ca8d2 100644
+--- a/file.c
++++ b/file.c
+@@ -6585,7 +6585,8 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 		indent = h_env->envs[h_env->envc].indent;
+ 		if (obuf->bp.pos - i > indent) {
+ 		    Str line;
+-		    append_tags(obuf);
++		    append_tags(obuf);	/* may reallocate the buffer */
++		    bp = obuf->line->ptr + obuf->bp.len;
+ 		    line = Strnew_charp(bp);
+ 		    Strshrink(obuf->line, obuf->line->length - obuf->bp.len);
+ #ifdef FORMAT_NICE
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/945_wtfstrwidth.patch w3m-0.5.3/debian/patches/945_wtfstrwidth.patch
--- w3m-0.5.3/debian/patches/945_wtfstrwidth.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/945_wtfstrwidth.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,40 @@
+Subject: Prevent overflow beyond the end of string in wtf_strwidth() and wtf_len()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/57
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7fbaf9444fcd2d3ce061775949b38deb4d489943
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=a56a8ef132945512c010cbcbc873dbb42274f9bd
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index b8cfdc7..adee338 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -120,8 +120,9 @@ int
+ wtf_strwidth(wc_uchar *p)
+ {
+     int w = 0;
++    wc_uchar *q = p + strlen(p);
+ 
+-    while (*p) {
++    while (p < q) {
+ 	w += wtf_width(p);
+ 	p += WTF_LEN_MAP[*p];
+     }
+@@ -140,9 +141,10 @@ size_t
+ wtf_len(wc_uchar *p)
+ {
+     wc_uchar *q = p;
++    wc_uchar *strz = p + strlen(p);
+ 
+     q += WTF_LEN_MAP[*q];
+-    while (*q && ! WTF_WIDTH_MAP[*q])
++    while (q < strz && ! WTF_WIDTH_MAP[*q])
+ 	q += WTF_LEN_MAP[*q];
+     return q - p;
+ }
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/946_strnewsize.patch w3m-0.5.3/debian/patches/946_strnewsize.patch
--- w3m-0.5.3/debian/patches/946_strnewsize.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/946_strnewsize.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent heap-buffer-overflow in Strnew_size()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/72
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=4381dffaa3fdf94c384f3588b5c7dff3ba1cc4ae
+
+---
+ Str.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Str.c b/Str.c
+index 5287c0f..7a094f5 100644
+--- a/Str.c
++++ b/Str.c
+@@ -48,6 +48,8 @@ Str
+ Strnew_size(int n)
+ {
+     Str x = GC_MALLOC(sizeof(struct _Str));
++    if (n < 0)
++	n = 0;
+     x->ptr = GC_MALLOC_ATOMIC(n + 1);
+     x->ptr[0] = '\0';
+     x->area_size = n + 1;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/947_realcolumn.patch w3m-0.5.3/debian/patches/947_realcolumn.patch
--- w3m-0.5.3/debian/patches/947_realcolumn.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/947_realcolumn.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent negative array index for realColumn in calcPosition()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/69
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1978455e2ed01699789e8374d29515b74b867b2b
+
+---
+ etc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc.c b/etc.c
+index 8fe1215..af8a5d3 100644
+--- a/etc.c
++++ b/etc.c
+@@ -498,7 +498,7 @@ calcPosition(char *l, Lineprop *pr, int len, int pos, int bpos, int mode)
+     static char *prevl = NULL;
+     int i, j;
+ 
+-    if (l == NULL || len == 0)
++    if (l == NULL || len == 0 || pos < 0)
+ 	return bpos;
+     if (l == prevl && mode == CP_AUTO) {
+ 	if (pos <= len)
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/948_getmclen.patch w3m-0.5.3/debian/patches/948_getmclen.patch
--- w3m-0.5.3/debian/patches/948_getmclen.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/948_getmclen.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,76 @@
+Subject: Prevent overflow beyond the end of string in caller of get_mclen()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/59
+Bug-Debian: https://github.com/tats/w3m/issues/73
+Bug-Debian: https://github.com/tats/w3m/issues/74
+Bug-Debian: https://github.com/tats/w3m/issues/75
+Bug-Debian: https://github.com/tats/w3m/issues/76
+Bug-Debian: https://github.com/tats/w3m/issues/78
+Bug-Debian: https://github.com/tats/w3m/issues/79
+Bug-Debian: https://github.com/tats/w3m/issues/80
+Bug-Debian: https://github.com/tats/w3m/issues/83
+Bug-Debian: https://github.com/tats/w3m/issues/84
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=6eea841d3a0f8dc539584dc67b15f585a8213775
+
+---
+ file.c      |  2 +-
+ libwc/wtf.c | 11 ++++++++---
+ libwc/wtf.h |  3 +--
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/file.c b/file.c
+index f5ca8d2..4fe8239 100644
+--- a/file.c
++++ b/file.c
+@@ -3438,7 +3438,7 @@ process_img(struct parsed_tag *tag, int width)
+ 	if (use_image) {
+ 	    if (n > nw) {
+ 		char *r;
+-		for (r = q, n = 0; r; r += get_mclen(r), n += get_mcwidth(r)) {
++		for (r = q, n = 0; *r; r += get_mclen(r), n += get_mcwidth(r)) {
+ 		    if (n + get_mcwidth(r) > nw)
+ 			break;
+ 		}
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index adee338..e80d990 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -129,13 +129,18 @@ wtf_strwidth(wc_uchar *p)
+     return w;
+ }
+ 
+-/*
+ size_t
+ wtf_len1(wc_uchar *p)
+ {
+-    return (size_t)WTF_LEN_MAP[*p];
++    size_t len, len_max = WTF_LEN_MAP[*p];
++
++    for (len = 0; *(p + len); len++)
++	if (len == len_max)
++	    break;
++    if (len == 0)
++	len = 1;
++    return len;
+ }
+-*/
+ 
+ size_t
+ wtf_len(wc_uchar *p)
+diff --git a/libwc/wtf.h b/libwc/wtf.h
+index ad47973..435526f 100644
+--- a/libwc/wtf.h
++++ b/libwc/wtf.h
+@@ -59,8 +59,7 @@ extern void       wtf_init(wc_ces ces1, wc_ces ces2);
+ #define wtf_width(p) (WcOption.use_wide ? (int)WTF_WIDTH_MAP[(wc_uchar)*(p)] \
+ 		      : ((int)WTF_WIDTH_MAP[(wc_uchar)*(p)] ? 1 : 0))
+ extern int        wtf_strwidth(wc_uchar *p);
+-/* extern size_t  wtf_len1(wc_uchar *p); */
+-#define wtf_len1(p) ((int)WTF_LEN_MAP[(wc_uchar)*(p)])
++extern size_t     wtf_len1(wc_uchar *p);
+ extern size_t     wtf_len(wc_uchar *p);
+ /* extern int     wtf_type(wc_uchar *p); */
+ #define wtf_type(p) WTF_TYPE_MAP[(wc_uchar)*(p)]
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/949_wtftowcs.patch w3m-0.5.3/debian/patches/949_wtftowcs.patch
--- w3m-0.5.3/debian/patches/949_wtftowcs.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/949_wtftowcs.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,36 @@
+Subject: Prevent overflow beyond the end of string for wtf to wcs macros
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/77
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=c3a3305e0334f76626aeaca76bcfab04a94f851d
+
+---
+ libwc/wtf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index e80d990..cdc6cbc 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -173,15 +173,17 @@ wtf_type(wc_uchar *p)
+     ((p)[3] = (((c) >>  7) & 0x7f) | 0x80), \
+     ((p)[4] = ( (c)        & 0x7f) | 0x80)
+ #define wtf_to_wcs16(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x03) << 14) \
+     | ((wc_uint32)((p)[1] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[2] & 0x7f)      )
++    | ((wc_uint32)((p)[2] & 0x7f)      ))
+ #define wtf_to_wcs32(p) \
++    ((p)[0] == 0 || (p)[1] == 0 || (p)[2] == 0 || (p)[3] == 0 || (p)[4] == 0 ? 0 : \
+       ((wc_uint32)((p)[0] & 0x0f) << 28) \
+     | ((wc_uint32)((p)[1] & 0x7f) << 21) \
+     | ((wc_uint32)((p)[2] & 0x7f) << 14) \
+     | ((wc_uint32)((p)[3] & 0x7f) <<  7) \
+-    | ((wc_uint32)((p)[4] & 0x7f)      )
++    | ((wc_uint32)((p)[4] & 0x7f)      ))
+ 
+ void
+ wtf_push(Str os, wc_ccs ccs, wc_uint32 code)
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/950_textarea.patch w3m-0.5.3/debian/patches/950_textarea.patch
--- w3m-0.5.3/debian/patches/950_textarea.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/950_textarea.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,27 @@
+Subject: Prevent infinite loop in feed_textarea()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/85
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=7a2675b4a5680d44645e72c4ec1258746a6e1b66
+
+---
+ file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index 4fe8239..da16a0a 100644
+--- a/file.c
++++ b/file.c
+@@ -4076,7 +4076,9 @@ feed_textarea(char *str)
+ 	    Strcat_charp(textarea_str[n_textarea], "\r\n");
+ 	    str++;
+ 	}
+-	else if (*str != '\r')
++	else if (*str == '\r')
++	    str++;
++	else
+ 	    Strcat_char(textarea_str[n_textarea], *(str++));
+     }
+ }
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/951_lineproc0.patch w3m-0.5.3/debian/patches/951_lineproc0.patch
--- w3m-0.5.3/debian/patches/951_lineproc0.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/951_lineproc0.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,25 @@
+Subject: Prevent heap-use-after-free read in HTMLlineproc0()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/81
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=aa2077e06fc11f65ba1773e8f5da83d98057e829
+
+---
+ file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/file.c b/file.c
+index da16a0a..6ecb0a6 100644
+--- a/file.c
++++ b/file.c
+@@ -6328,7 +6328,7 @@ HTMLlineproc0(char *line, struct html_feed_environ *h_env, int internal)
+ 	    }
+ 	    if (h_env->tagbuf->length == 0)
+ 		continue;
+-	    str = h_env->tagbuf->ptr;
++	    str = Strdup(h_env->tagbuf)->ptr;
+ 	    if (*str == '<') {
+ 		if (str[1] && REALLY_THE_BEGINNING_OF_A_TAG(str))
+ 		    is_tag = TRUE;
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/952_formupdatebuffer.patch w3m-0.5.3/debian/patches/952_formupdatebuffer.patch
--- w3m-0.5.3/debian/patches/952_formupdatebuffer.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/952_formupdatebuffer.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,26 @@
+Subject: Prevent invalid form_update_line() call in formUpdateBuffer()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/82
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=dc32152dc051923e322fc251aaa2dbd5e54c0fbf
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 1aaaf19..162439a 100644
+--- a/form.c
++++ b/form.c
+@@ -490,7 +490,8 @@ formUpdateBuffer(Anchor *a, Buffer *buf, FormItemList *form)
+ 		spos = a->start.pos;
+ 		epos = a->end.pos;
+ 	    }
+-	    if (a->start.line != a->end.line || spos > epos || epos >= l->len || spos < 0 || epos < 0)
++	    if (a->start.line != a->end.line || spos > epos || epos >= l->len ||
++		spos < 0 || epos < 0 || COLPOS(l, epos) < col)
+ 		break;
+ 	    pos = form_update_line(l, &p, spos, epos, COLPOS(l, epos) - col,
+ 				   rows > 1,
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/953_formupdateline.patch w3m-0.5.3/debian/patches/953_formupdateline.patch
--- w3m-0.5.3/debian/patches/953_formupdateline.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/953_formupdateline.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,26 @@
+Subject: Preserve one byte for end of string character in form_update_line()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68#issuecomment-266214643
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=eb4130a7cd2202de6aeb772b7e4f2a417dbff173
+
+---
+ form.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/form.c b/form.c
+index 162439a..0605513 100644
+--- a/form.c
++++ b/form.c
+@@ -320,7 +320,8 @@ form_update_line(Line *line, char **str, int spos, int epos, int width,
+     pos += width - w;
+ 
+     len = line->len + pos + spos - epos;
+-    buf = New_N(char, len);
++    buf = New_N(char, len + 1);
++    buf[len] = '\0';
+     prop = New_N(Lineprop, len);
+     bcopy((void *)line->lineBuf, (void *)buf, spos * sizeof(char));
+     bcopy((void *)line->propBuf, (void *)prop, spos * sizeof(Lineprop));
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/954_wtfparse1.patch w3m-0.5.3/debian/patches/954_wtfparse1.patch
--- w3m-0.5.3/debian/patches/954_wtfparse1.patch	1970-01-01 09:00:00.000000000 +0900
+++ w3m-0.5.3/debian/patches/954_wtfparse1.patch	2017-01-06 23:21:19.000000000 +0900
@@ -0,0 +1,84 @@
+Subject: Prevent overflow beyond the end of string in wtf_parse1()
+From: Tatsuya Kinoshita <tats@debian.org>
+Bug-Debian: https://github.com/tats/w3m/issues/68
+Origin: https://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=00433f4ac2645ac6236ea1892b4a93f26a039a84
+
+---
+ libwc/wtf.c | 44 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/libwc/wtf.c b/libwc/wtf.c
+index cdc6cbc..94d95c1 100644
+--- a/libwc/wtf.c
++++ b/libwc/wtf.c
+@@ -397,7 +397,7 @@ wtf_parse1(wc_uchar **p)
+ 	cc.code = *(q++);
+     } else if (*q > 0xa0) {
+ 	cc.ccs = wtf_gr_ccs;
+-	if (WC_CCS_IS_WIDE(cc.ccs)) {
++	if (WC_CCS_IS_WIDE(cc.ccs) && *(q+1)) {
+ 	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+ 	    q += 2;
+ 	} else
+@@ -410,27 +410,47 @@ wtf_parse1(wc_uchar **p)
+ 	case WC_CCS_A_CS942:
+ 	case WC_CCS_A_PCS:
+ 	case WC_CCS_A_UNKNOWN:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = *(q++);
++	    if (*q && *(q+1)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = *(q++);
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_CS94W:
+ 	case WC_CCS_A_CS96W:
+ 	case WC_CCS_A_PCSW:
+-	    cc.ccs |= *(q++) & 0x7f;
+-	    cc.code = ((wc_uint32)*q << 8) | *(q+1);
+-	    q += 2;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= *(q++) & 0x7f;
++		cc.code = ((wc_uint32)*q << 8) | *(q+1);
++		q += 2;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS16:
+ 	case WC_CCS_A_WCS16W:
+-	    cc.ccs |= (*q & 0x7c) >> 2;
+-	    cc.code = wtf_to_wcs16(q);
+-	    q += 3;
++	    if (*q && *(q+1) && *(q+2)) {
++		cc.ccs |= (*q & 0x7c) >> 2;
++		cc.code = wtf_to_wcs16(q);
++		q += 3;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	case WC_CCS_A_WCS32:
+ 	case WC_CCS_A_WCS32W:
+-	    cc.ccs |= (*q & 0x70) >> 4;
+-	    cc.code = wtf_to_wcs32(q);
+-	    q += 5;
++	    if (*q && *(q+1) && *(q+2) && *(q+3) && *(q+4)) {
++		cc.ccs |= (*q & 0x70) >> 4;
++		cc.code = wtf_to_wcs32(q);
++		q += 5;
++	    } else {
++		cc.ccs = WC_CCS_US_ASCII;
++		cc.code = (wc_uint32)' ';
++	    }
+ 	    break;
+ 	default:
+ 	/* case 0: */
+-- 
+2.10.2
+
diff -Nru w3m-0.5.3/debian/patches/series w3m-0.5.3/debian/patches/series
--- w3m-0.5.3/debian/patches/series	2016-11-24 19:26:52.000000000 +0900
+++ w3m-0.5.3/debian/patches/series	2017-01-06 23:21:19.000000000 +0900
@@ -69,3 +69,24 @@
 931_parse-url.patch
 932_ucsmap.patch
 933_table-level.patch
+934_menu.patch
+935_shiftanchor.patch
+936_metarefresh.patch
+937_lineproc0.patch
+938_lineproc2body.patch
+939_textarea.patch
+940_tabattr.patch
+941_integeredwidth.patch
+942_tridvalue.patch
+943_pushlink.patch
+944_lineproc0.patch
+945_wtfstrwidth.patch
+946_strnewsize.patch
+947_realcolumn.patch
+948_getmclen.patch
+949_wtftowcs.patch
+950_textarea.patch
+951_lineproc0.patch
+952_formupdatebuffer.patch
+953_formupdateline.patch
+954_wtfparse1.patch

Attachment: pgpfjATYROium.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---
Reply to: