Package list unrtf / 7eae26e
Fix CVE-2014-9275: various crashes Willi Mann 6 years ago
3 changed file(s) with 159 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 From: Jean-Francois Dockes <jfd@recoll.org>
1 Date: Sun, 21 Dec 2014 10:47:03 +0100
2 Subject: Need to process word chars as unsigned. Else char with hi bit set
3 can crash program
4
5 Partially fixes CVE-2014-9275, according to
6 https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
7
8 Origin: https://bitbucket.org/medoc/unrtf-int/commits/1df886f2e65f7c512a6217588ae8d94d4bcbc63d/raw/
9 Bug-Debian: http://bugs.debian.org/772811
10 ---
11 src/hash.c | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14 diff --git a/src/hash.c b/src/hash.c
15 index b886d1e..67c6a25 100644
16 --- a/src/hash.c
17 +++ b/src/hash.c
18 @@ -133,8 +133,8 @@ hashitem_new (char *str)
19
20 hi->str = my_strdup(str);
21
22 - i = *str;
23 - if (i=='\\') i=str[1];
24 + i = (unsigned char)*str;
25 + if (i=='\\') i=(unsigned char)str[1];
26 i <<= 24;
27 hi->value = i | (hash_value++ & 0xffffff);
28 hi->next = NULL;
0 From: Jean-Francois Dockes <jfd@recoll.org>
1 Date: Sun, 21 Dec 2014 10:51:47 +0100
2 Subject: Fix a number of possible crashes caused by a bad format causing
3 word_string() to return NULL
4
5 Second fix for CVE-2014-9275, according to
6 https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
7
8 Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/
9 Bug-Debian: http://bugs.debian.org/772811
10 ---
11 src/convert.c | 28 +++++++++++++++++-----------
12 1 file changed, 17 insertions(+), 11 deletions(-)
13
14 diff --git a/src/convert.c b/src/convert.c
15 index 96bf438..bd84398 100644
16 --- a/src/convert.c
17 +++ b/src/convert.c
18 @@ -278,6 +278,8 @@ word_dump_date (Word *w)
19 CHECK_PARAM_NOT_NULL(w);
20 while (w) {
21 char *s = word_string (w);
22 + if (!s)
23 + return;
24 if (*s == '\\') {
25 ++s;
26 if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
27 @@ -524,6 +526,8 @@ process_font_table (Word *w)
28
29 if ((w2 = w->child)) {
30 tmp = word_string(w2);
31 + if (!tmp)
32 + break;
33 if (!strncmp("\\f", tmp, 2)) {
34 num = atoi(&tmp[2]);
35 name[0] = 0;
36 @@ -704,7 +708,8 @@ process_info_group (Word *w)
37 char *s;
38
39 s = word_string(child);
40 -
41 + if (!s)
42 + return;
43 if (!inline_mode) {
44 if (!strcmp("\\title", s)) {
45
46 @@ -712,11 +717,11 @@ process_info_group (Word *w)
47 w2=child->next;
48 while (w2) {
49 char *s2 = word_string(w2);
50 - if (s2[0] != '\\')
51 + if (s2 && s2[0] != '\\')
52 {
53 print_with_special_exprs (s2);
54 }
55 - else
56 + else if (s2)
57 {
58 if (s2[1] == '\'')
59 {
60 @@ -735,7 +740,7 @@ process_info_group (Word *w)
61 w2=child->next;
62 while (w2) {
63 char *s2 = word_string(w2);
64 - if (s2[0] != '\\')
65 + if (s2 && s2[0] != '\\')
66 printf("%s,", s2);
67 w2 = w2->next;
68 }
69 @@ -746,7 +751,7 @@ process_info_group (Word *w)
70 w2=child->next;
71 while (w2) {
72 char *s2 = word_string(w2);
73 - if (s2[0] != '\\')
74 + if (s2 && s2[0] != '\\')
75 printf("%s", s2);
76 w2 = w2->next;
77 }
78 @@ -758,7 +763,7 @@ process_info_group (Word *w)
79 w2=child->next;
80 while (w2) {
81 char *s2 = word_string(w2);
82 - if (s2[0] != '\\')
83 + if (s2 && s2[0] != '\\')
84 printf("%s", s2);
85 w2 = w2->next;
86 }
87 @@ -868,11 +873,10 @@ process_color_table (Word *w)
88 r=g=b=0;
89
90 while(w) {
91 - if (total_colors >= MAX_COLORS) {
92 + char *s = word_string (w);
93 + if (s == 0 || total_colors >= MAX_COLORS) {
94 break;
95 }
96 - char *s = word_string (w);
97 -
98 if (!strncmp("\\red",s,4)) {
99 r = atoi(&s[4]);
100 while(r>255) r>>=8;
101 @@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_param, int num) {
102 char *s;
103
104 s = word_string(child);
105 + if (!s)
106 + return FALSE;
107 #if 1 /* daved experimenting with fldrslt */
108 if(!strcmp("\\fldrslt", s))
109 return FALSE;
110 @@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
111 if (s && !strcmp(s, "SYMBOL") )
112 {
113 w4=w3->next;
114 - while(w4 && !strcmp(word_string(w4), " "))
115 + while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
116 w4 = w4->next;
117 s4 = word_string(w4);
118 if (s4)
119 @@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
120 Word *w4;
121 char *s4;
122 w4=w3->next;
123 - while (w4 && !strcmp(" ", word_string(w4)))
124 + while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
125 w4=w4->next;
126 if (w4) {
127 s4=word_string(w4);
00 0001-check-that-accesses-to-color-table-stay-within-bound.patch
1 0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
2 0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch