Package list unrtf / debian/0.21.5-3 debian / patches / 0006-Limit-depth-of-group-embedding.patch
debian/0.21.5-3

Tree @debian/0.21.5-3 (Download .tar.gz)

0006-Limit-depth-of-group-embedding.patch @debian/0.21.5-3raw · history · blame

Description: Limit depth of group embedding
 Limit depth of group embedding to guard against malicious files with
 thousands of consecutive {
Origin: backport, http://hg.savannah.gnu.org/hgweb/unrtf/raw-rev/7d7f30c53ca0
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-01-26
Applied-Upstream: 0.21.7

--- a/src/convert.c
+++ b/src/convert.c
@@ -3075,7 +3075,7 @@ accumulate_iconv_input(int ch)
  *=======================================================================*/
 
 static void
-word_print_core (Word *w)
+word_print_core (Word *w, int groupdepth)
 {
 	char *s;
 	char *alias;
@@ -3084,6 +3084,10 @@ word_print_core (Word *w)
 	int paragraph_begined=FALSE;
 	int paragraph_align=ALIGN_LEFT;
 
+        if (groupdepth > MAX_GROUP_DEPTH) {
+		warning_handler ("Max group depth reached");
+		return;
+        }
 	CHECK_PARAM_NOT_NULL(w);
 
 	if (!coming_pars_that_are_tabular && within_table) {
@@ -3378,7 +3382,7 @@ word_print_core (Word *w)
 			}
 
 			if (child) 
-			  word_print_core (child);
+                            word_print_core (child, groupdepth+1);
 		}
 
 		if (w) 
@@ -3457,7 +3461,7 @@ word_print (Word *w)
 	have_printed_body=FALSE;
 	within_table=FALSE;
 	simulate_allcaps=FALSE;
-	word_print_core (w);
+	word_print_core (w, 1);
 	end_table();
 
 	if (!inline_mode) {
--- a/src/main.c
+++ b/src/main.c
@@ -263,7 +263,7 @@ main (int argc, char **argv)
 		printf("\n");
 	} else {
 /* Should we also optimize word before dump? - AF */
-		word = optimize_word(word);
+		word = optimize_word(word, 1);
 		word_print(word);
 	}
 
--- a/src/word.c
+++ b/src/word.c
@@ -222,7 +222,7 @@ word_dump (Word *w)
  * Returns:	Optimized word.
  *=======================================================================*/
 Word *
-optimize_word(Word *w)
+optimize_word(Word *w, int depth)
 {
 	char *s, *s1;
 	int i = 0, len;
@@ -230,6 +230,11 @@ optimize_word(Word *w)
 	Tag tags_to_opt[] = OPT_ARRAY;
 	Word *root = w, *w2;
 
+        if (depth > MAX_GROUP_DEPTH) {
+		/* Have to be reasonable at some point */
+		warning_handler ("Max group depth reached");
+		return w;
+        }
 	for (; w != NULL; w = w->next)
 	{
 
@@ -264,7 +269,7 @@ optimize_word(Word *w)
 		}
 
 		if (w->child != NULL)
-			w->child = optimize_word(w->child);
+			w->child = optimize_word(w->child, depth+1);
 
 		w2 = w;
 	}
--- a/src/word.h
+++ b/src/word.h
@@ -49,7 +49,11 @@ extern char* word_string (Word*);
 extern void word_dump (Word*);
 extern void word_print_html (Word*);
 
-extern Word* optimize_word(Word*);
+#ifndef MAX_GROUP_DEPTH
+#define MAX_GROUP_DEPTH 1000
+#endif
+ 
+extern Word* optimize_word(Word*, int depth);
 
 typedef struct _t {
 	char *name;