From: Jean-Francois Dockes <jfd@recoll.org>
Date: Sun, 21 Dec 2014 10:51:47 +0100
Subject: Fix a number of possible crashes caused by a bad format causing
 word_string() to return NULL

Second fix for CVE-2014-9275, according to
https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html

Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/
Bug-Debian: http://bugs.debian.org/772811
---
 src/convert.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index 96bf438..bd84398 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -278,6 +278,8 @@ word_dump_date (Word *w)
 	CHECK_PARAM_NOT_NULL(w);
 	while (w) {
 	 	char *s = word_string (w);
+                if (!s)
+                        return;
 		if (*s == '\\') {
 			++s;
 			if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
@@ -524,6 +526,8 @@ process_font_table (Word *w)
 
         if ((w2 = w->child)) {
             tmp = word_string(w2);
+            if (!tmp)
+                    break;
             if (!strncmp("\\f", tmp, 2)) {
                 num = atoi(&tmp[2]);
                 name[0] = 0;
@@ -704,7 +708,8 @@ process_info_group (Word *w)
 			char *s;
 
 			s = word_string(child);
-
+                        if (!s)
+                                return;
 			if (!inline_mode) {
 				if (!strcmp("\\title", s)) {
 					
@@ -712,11 +717,11 @@ process_info_group (Word *w)
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\') 
 						{
 							print_with_special_exprs (s2);
 						}
-						else
+						else if (s2)
 						{
 							if (s2[1] == '\'')
 							{
@@ -735,7 +740,7 @@ process_info_group (Word *w)
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\') 
 							printf("%s,", s2);
 						w2 = w2->next;
 					}
@@ -746,7 +751,7 @@ process_info_group (Word *w)
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\') 
 							printf("%s", s2);
 						w2 = w2->next;
 					}
@@ -758,7 +763,7 @@ process_info_group (Word *w)
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\') 
 							printf("%s", s2);
 						w2 = w2->next;
 					}
@@ -868,11 +873,10 @@ process_color_table (Word *w)
 	r=g=b=0;
 
 	while(w) {
-                if (total_colors >= MAX_COLORS) {
+		char *s = word_string (w);
+                if (s == 0 || total_colors >= MAX_COLORS) {
                         break;
                 }
-		char *s = word_string (w);
-
 		if (!strncmp("\\red",s,4)) {
 			r = atoi(&s[4]);
 			while(r>255) r>>=8;
@@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_param, int num) {
 			char *s;
 
 			s = word_string(child);
+                        if (!s)
+                                return FALSE;
 #if 1 /* daved experimenting with fldrslt */
 			if(!strcmp("\\fldrslt", s))
 				return FALSE;
@@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
 				    if (s && !strcmp(s, "SYMBOL") )
 				    {
 					w4=w3->next;
-					while(w4 && !strcmp(word_string(w4), " "))
+					while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
 						w4 = w4->next;
 					s4 = word_string(w4);
 					if (s4)
@@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
 						    Word *w4;
 						    char *s4;
 						    w4=w3->next;
-						    while (w4 && !strcmp(" ", word_string(w4)))
+						    while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
 							    w4=w4->next;
 						    if (w4) {
 							    s4=word_string(w4);