Package list unrtf / 17f49fd
Fix a number of possible crashes caused by a bad format causing word_string() to return NULL Second fix for CVE-2014-9275, according to https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/ Bug-Debian: http://bugs.debian.org/772811 Backport by Willi Mann Jean-Francois Dockes authored 6 years ago Willi Mann committed 6 years ago
1 changed file(s) with 14 addition(s) and 9 deletion(s). Raw diff Collapse all Expand all
249249 CHECK_PARAM_NOT_NULL(w);
250250 while (w) {
251251 char *s = word_string (w);
252 if (!s)
253 return;
252254 if (*s == '\\') {
253255 ++s;
254256 if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
332334
333335 if ((w2=w->child)) {
334336 tmp = word_string (w2);
337 if(!tmp)
338 break;
335339 if (!strncmp("\\f",tmp,2)) {
336340 num = atoi (&tmp[2]);
337341 name[0]=0;
460464 char *s;
461465
462466 s = word_string(child);
463
467 if (!s)
468 return;
464469 if (!inline_mode) {
465470 if (!strcmp("\\title", s)) {
466471 printf (op->document_title_begin);
467472 w2=child->next;
468473 while (w2) {
469474 char *s2 = word_string(w2);
470 if (s2[0] != '\\')
475 if (s2 && s2[0] != '\\')
471476 printf ("%s", s2);
472477 w2=w2->next;
473478 }
478483 w2=child->next;
479484 while (w2) {
480485 char *s2 = word_string(w2);
481 if (s2[0] != '\\')
486 if (s2 && s2[0] != '\\')
482487 printf ("%s,", s2);
483488 w2=w2->next;
484489 }
489494 w2=child->next;
490495 while (w2) {
491496 char *s2 = word_string(w2);
492 if (s2[0] != '\\')
497 if (s2 && s2[0] != '\\')
493498 printf ("%s", s2);
494499 w2=w2->next;
495500 }
501506 w2=child->next;
502507 while (w2) {
503508 char *s2 = word_string(w2);
504 if (s2[0] != '\\')
509 if (s2 && s2[0] != '\\')
505510 printf ("%s", s2);
506511 w2=w2->next;
507512 }
611616 r=g=b=0;
612617
613618 while(w) {
614 if (total_colors >= MAX_COLORS) {
619 char *s = word_string (w);
620 if (s == 0 || total_colors >= MAX_COLORS) {
615621 break;
616622 }
617 char *s = word_string (w);
618623
619624 #if 0
620625 printf (op->comment_begin);
776781 if(s && !strcmp(s, "SYMBOL") )
777782 {
778783 w4=w3->next;
779 while(w4 && !strcmp(word_string(w4), " "))
784 while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
780785 w4 = w4->next;
781786 s4 = word_string(w4);
782787 if(s4)
794799 Word *w4;
795800 char *s4;
796801 w4=w3->next;
797 while (w4 && !strcmp(" ", word_string(w4)))
802 while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
798803 w4=w4->next;
799804 if (w4) {
800805 s4=word_string(w4);