From: Jean-Francois Dockes <jfd@recoll.org>
Date: Sun, 21 Dec 2014 10:51:47 +0100
Subject: Fix a number of possible crashes caused by a bad format causing
word_string() to return NULL
Second fix for CVE-2014-9275, according to
https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/
Bug-Debian: http://bugs.debian.org/772811
---
src/convert.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/src/convert.c b/src/convert.c
index 96bf438..bd84398 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -278,6 +278,8 @@ word_dump_date (Word *w)
CHECK_PARAM_NOT_NULL(w);
while (w) {
char *s = word_string (w);
+ if (!s)
+ return;
if (*s == '\\') {
++s;
if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
@@ -524,6 +526,8 @@ process_font_table (Word *w)
if ((w2 = w->child)) {
tmp = word_string(w2);
+ if (!tmp)
+ break;
if (!strncmp("\\f", tmp, 2)) {
num = atoi(&tmp[2]);
name[0] = 0;
@@ -704,7 +708,8 @@ process_info_group (Word *w)
char *s;
s = word_string(child);
-
+ if (!s)
+ return;
if (!inline_mode) {
if (!strcmp("\\title", s)) {
@@ -712,11 +717,11 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
{
print_with_special_exprs (s2);
}
- else
+ else if (s2)
{
if (s2[1] == '\'')
{
@@ -735,7 +740,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s,", s2);
w2 = w2->next;
}
@@ -746,7 +751,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s", s2);
w2 = w2->next;
}
@@ -758,7 +763,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s", s2);
w2 = w2->next;
}
@@ -868,11 +873,10 @@ process_color_table (Word *w)
r=g=b=0;
while(w) {
- if (total_colors >= MAX_COLORS) {
+ char *s = word_string (w);
+ if (s == 0 || total_colors >= MAX_COLORS) {
break;
}
- char *s = word_string (w);
-
if (!strncmp("\\red",s,4)) {
r = atoi(&s[4]);
while(r>255) r>>=8;
@@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_param, int num) {
char *s;
s = word_string(child);
+ if (!s)
+ return FALSE;
#if 1 /* daved experimenting with fldrslt */
if(!strcmp("\\fldrslt", s))
return FALSE;
@@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
if (s && !strcmp(s, "SYMBOL") )
{
w4=w3->next;
- while(w4 && !strcmp(word_string(w4), " "))
+ while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
w4 = w4->next;
s4 = word_string(w4);
if (s4)
@@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
Word *w4;
char *s4;
w4=w3->next;
- while (w4 && !strcmp(" ", word_string(w4)))
+ while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
w4=w4->next;
if (w4) {
s4=word_string(w4);