From: Jean-Francois Dockes <jfd@recoll.org>
Date: Sun, 21 Dec 2014 10:08:26 +0100
Subject: check that accesses to color table stay within bounds,
 esp that the color number is positive. This fixes {\cb-999} crashing
 unrtf

This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15

Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
Bug-Debian: http://bugs.debian.org/772811
---
 src/convert.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index e563473..96bf438 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -868,6 +868,9 @@ process_color_table (Word *w)
 	r=g=b=0;
 
 	while(w) {
+                if (total_colors >= MAX_COLORS) {
+                        break;
+                }
 		char *s = word_string (w);
 
 		if (!strncmp("\\red",s,4)) {
@@ -921,7 +924,7 @@ static int
 cmd_cf (Word *w, int align, char has_param, int num) {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font color change attempted is invalid");
 	}
 	else
@@ -948,7 +951,7 @@ static int
 cmd_cb (Word *w, int align, char has_param, int num) {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font color change attempted is invalid");
 	}
 	else
@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
 {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font background color change attempted is invalid");
 	}
 	else