From: Jean-Francois Dockes <jfd@recoll.org>
Date: Sun, 21 Dec 2014 10:08:26 +0100
Subject: check that accesses to color table stay within bounds,
esp that the color number is positive. This fixes {\cb-999} crashing
unrtf
This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
Bug-Debian: http://bugs.debian.org/772811
---
src/convert.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/convert.c b/src/convert.c
index e563473..96bf438 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -868,6 +868,9 @@ process_color_table (Word *w)
r=g=b=0;
while(w) {
+ if (total_colors >= MAX_COLORS) {
+ break;
+ }
char *s = word_string (w);
if (!strncmp("\\red",s,4)) {
@@ -921,7 +924,7 @@ static int
cmd_cf (Word *w, int align, char has_param, int num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -948,7 +951,7 @@ static int
cmd_cb (Word *w, int align, char has_param, int num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
{
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font background color change attempted is invalid");
}
else