current/SOURCES/w3m-0.5-3-cve-2022-38223.patch

From 419ca82d57c72242817b55e2eaa4cdbf6916e7fa Mon Sep 17 00:00:00 2001
From: Tatsuya Kinoshita <tats@debian.org>
Date: Tue, 20 Dec 2022 21:16:48 +0900
Subject: [PATCH] Fix m17n backspace handling causes out-of-bounds write in
 checkType

[CVE-2022-38223]
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
Bug-Debian: https://github.com/tats/w3m/issues/242
---
 etc.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/etc.c b/etc.c
index 805bfa06..46aeed91 100644
--- a/etc.c
+++ b/etc.c
@@ -256,6 +256,9 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 #ifdef USE_M17N
     int i;
     int plen = 0, clen;
+    int *plens = NULL;
+    static int *plens_buffer = NULL;
+    static int plens_size = 0;
 #endif
 
     if (prop_size < s->length) {
@@ -263,6 +266,13 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
        prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
     }
     prop = prop_buffer;
+#ifdef USE_M17N
+    if (plens_size < s->length) {
+       plens_size = (s->length > LINELEN) ? s->length : LINELEN;
+       plens_buffer = New_Reuse(int, plens_buffer, plens_size);
+    }
+    plens = plens_buffer;
+#endif
 
     if (ShowEffect) {
        bs = memchr(str, '\b', s->length);
@@ -297,14 +307,21 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
 #ifdef USE_ANSI_COLOR
                if (color)
                    *(color++) = 0;
+#endif
+#ifdef USE_M17N
+               *(plens++) = plen = 1;
 #endif
            }
            Strcat_charp_n(s, sp, (int)(str - sp));
        }
     }
     if (!do_copy) {
-       for (; str < endp && IS_ASCII(*str); str++)
+       for (; str < endp && IS_ASCII(*str); str++) {
            *(prop++) = PE_NORMAL | (IS_CNTRL(*str) ? PC_CTRL : PC_ASCII);
+#ifdef USE_M17N
+           *(plens++) = plen = 1;
+#endif
+       }
     }
 
     while (str < endp) {
@@ -366,6 +383,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
                        else {
                            Strshrink(s, plen);
                            prop -= plen;
+                           plen = *(--plens);
                            str += 2;
                        }
                    }
@@ -387,6 +405,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
                        else {
                            Strshrink(s, plen);
                            prop -= plen;
+                           plen = *(--plens);
                            str++;
                        }
 #else
@@ -441,6 +460,7 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
        *(prop++) = mode;
 #ifdef USE_M17N
        plen = get_mclen(str);
+       *(plens++) = plen;
        if (plen > 1) {
            mode = (mode & ~PC_WCHAR1) | PC_WCHAR2;
            for (i = 1; i < plen; i++) {
1	From 419ca82d57c72242817b55e2eaa4cdbf6916e7fa Mon Sep 17 00:00:00 2001
2	From: Tatsuya Kinoshita <tats@debian.org>
3	Date: Tue, 20 Dec 2022 21:16:48 +0900
4	Subject: [PATCH] Fix m17n backspace handling causes out-of-bounds write in
5	checkType
6
7	[CVE-2022-38223]
8	Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599
9	Bug-Debian: https://github.com/tats/w3m/issues/242
10	---
11	etc.c \| 22 +++++++++++++++++++++-
12	1 file changed, 21 insertions(+), 1 deletion(-)
13
14	diff --git a/etc.c b/etc.c
15	index 805bfa06..46aeed91 100644
16	--- a/etc.c
17	+++ b/etc.c
18	@@ -256,6 +256,9 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
19	#ifdef USE_M17N
20	int i;
21	int plen = 0, clen;
22	+ int *plens = NULL;
23	+ static int *plens_buffer = NULL;
24	+ static int plens_size = 0;
25	#endif
26
27	if (prop_size < s->length) {
28	@@ -263,6 +266,13 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
29	prop_buffer = New_Reuse(Lineprop, prop_buffer, prop_size);
30	}
31	prop = prop_buffer;
32	+#ifdef USE_M17N
33	+ if (plens_size < s->length) {
34	+ plens_size = (s->length > LINELEN) ? s->length : LINELEN;
35	+ plens_buffer = New_Reuse(int, plens_buffer, plens_size);
36	+ }
37	+ plens = plens_buffer;
38	+#endif
39
40	if (ShowEffect) {
41	bs = memchr(str, '\b', s->length);
42	@@ -297,14 +307,21 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
43	#ifdef USE_ANSI_COLOR
44	if (color)
45	*(color++) = 0;
46	+#endif
47	+#ifdef USE_M17N
48	+ *(plens++) = plen = 1;
49	#endif
50	}
51	Strcat_charp_n(s, sp, (int)(str - sp));
52	}
53	}
54	if (!do_copy) {
55	- for (; str < endp && IS_ASCII(*str); str++)
56	+ for (; str < endp && IS_ASCII(*str); str++) {
57	(prop++) = PE_NORMAL \| (IS_CNTRL(str) ? PC_CTRL : PC_ASCII);
58	+#ifdef USE_M17N
59	+ *(plens++) = plen = 1;
60	+#endif
61	+ }
62	}
63
64	while (str < endp) {
65	@@ -366,6 +383,7 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
66	else {
67	Strshrink(s, plen);
68	prop -= plen;
69	+ plen = *(--plens);
70	str += 2;
71	}
72	}
73	@@ -387,6 +405,7 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
74	else {
75	Strshrink(s, plen);
76	prop -= plen;
77	+ plen = *(--plens);
78	str++;
79	}
80	#else
81	@@ -441,6 +460,7 @@ checkType(Str s, Lineprop oprop, Linecolor ocolor)
82	*(prop++) = mode;
83	#ifdef USE_M17N
84	plen = get_mclen(str);
85	+ *(plens++) = plen;
86	if (plen > 1) {
87	mode = (mode & ~PC_WCHAR1) \| PC_WCHAR2;
88	for (i = 1; i < plen; i++) {