Codebase list unrtf / 83ab9a3
Add 0006-Limit-depth-of-group-embedding.patch patch Limit depth of group embedding to guard against malicious files with thousands of consecutive {. Salvatore Bonaccorso authored 8 years ago Willi Mann committed 8 years ago
2 changed file(s) with 108 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+107
-0
debian/patches/0006-Limit-depth-of-group-embedding.patch less more
0 Description: Limit depth of group embedding
1 Limit depth of group embedding to guard against malicious files with
2 thousands of consecutive {
3 Origin: backport, http://hg.savannah.gnu.org/hgweb/unrtf/raw-rev/7d7f30c53ca0
4 Forwarded: not-needed
5 Author: Salvatore Bonaccorso <carnil@debian.org>
6 Last-Update: 2015-01-26
7 Applied-Upstream: 0.21.7
8
9 --- a/src/convert.c
10 +++ b/src/convert.c
11 @@ -3075,7 +3075,7 @@ accumulate_iconv_input(int ch)
12 *=======================================================================*/
13
14 static void
15 -word_print_core (Word *w)
16 +word_print_core (Word *w, int groupdepth)
17 {
18 char *s;
19 char *alias;
20 @@ -3084,6 +3084,10 @@ word_print_core (Word *w)
21 int paragraph_begined=FALSE;
22 int paragraph_align=ALIGN_LEFT;
23
24 + if (groupdepth > MAX_GROUP_DEPTH) {
25 + warning_handler ("Max group depth reached");
26 + return;
27 + }
28 CHECK_PARAM_NOT_NULL(w);
29
30 if (!coming_pars_that_are_tabular && within_table) {
31 @@ -3378,7 +3382,7 @@ word_print_core (Word *w)
32 }
33
34 if (child)
35 - word_print_core (child);
36 + word_print_core (child, groupdepth+1);
37 }
38
39 if (w)
40 @@ -3457,7 +3461,7 @@ word_print (Word *w)
41 have_printed_body=FALSE;
42 within_table=FALSE;
43 simulate_allcaps=FALSE;
44 - word_print_core (w);
45 + word_print_core (w, 1);
46 end_table();
47
48 if (!inline_mode) {
49 --- a/src/main.c
50 +++ b/src/main.c
51 @@ -263,7 +263,7 @@ main (int argc, char **argv)
52 printf("\n");
53 } else {
54 /* Should we also optimize word before dump? - AF */
55 - word = optimize_word(word);
56 + word = optimize_word(word, 1);
57 word_print(word);
58 }
59
60 --- a/src/word.c
61 +++ b/src/word.c
62 @@ -222,7 +222,7 @@ word_dump (Word *w)
63 * Returns: Optimized word.
64 *=======================================================================*/
65 Word *
66 -optimize_word(Word *w)
67 +optimize_word(Word *w, int depth)
68 {
69 char *s, *s1;
70 int i = 0, len;
71 @@ -230,6 +230,11 @@ optimize_word(Word *w)
72 Tag tags_to_opt[] = OPT_ARRAY;
73 Word *root = w, *w2;
74
75 + if (depth > MAX_GROUP_DEPTH) {
76 + /* Have to be reasonable at some point */
77 + warning_handler ("Max group depth reached");
78 + return w;
79 + }
80 for (; w != NULL; w = w->next)
81 {
82
83 @@ -264,7 +269,7 @@ optimize_word(Word *w)
84 }
85
86 if (w->child != NULL)
87 - w->child = optimize_word(w->child);
88 + w->child = optimize_word(w->child, depth+1);
89
90 w2 = w;
91 }
92 --- a/src/word.h
93 +++ b/src/word.h
94 @@ -49,7 +49,11 @@ extern char* word_string (Word*);
95 extern void word_dump (Word*);
96 extern void word_print_html (Word*);
97
98 -extern Word* optimize_word(Word*);
99 +#ifndef MAX_GROUP_DEPTH
100 +#define MAX_GROUP_DEPTH 1000
101 +#endif
102 +
103 +extern Word* optimize_word(Word*, int depth);
104
105 typedef struct _t {
106 char *name;
+1
-0
debian/patches/series less more
22 0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
33 0004-attrstack_drop-Properly-drop-the-last-stack-element.patch
44 0005-attr_get_param-Silence-a-warning-message-again.patch
5 0006-Limit-depth-of-group-embedding.patch