|
0 |
From: Jean-Francois Dockes <jfd@recoll.org>
|
|
1 |
Date: Sun, 21 Dec 2014 10:08:26 +0100
|
|
2 |
Subject: check that accesses to color table stay within bounds,
|
|
3 |
esp that the color number is positive. This fixes {\cb-999} crashing
|
|
4 |
unrtf
|
|
5 |
|
|
6 |
This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
|
|
7 |
|
|
8 |
Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
|
|
9 |
Bug-Debian: http://bugs.debian.org/772811
|
|
10 |
---
|
|
11 |
src/convert.c | 9 ++++++---
|
|
12 |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
13 |
|
|
14 |
diff --git a/src/convert.c b/src/convert.c
|
|
15 |
index e563473..96bf438 100644
|
|
16 |
--- a/src/convert.c
|
|
17 |
+++ b/src/convert.c
|
|
18 |
@@ -868,6 +868,9 @@ process_color_table (Word *w)
|
|
19 |
r=g=b=0;
|
|
20 |
|
|
21 |
while(w) {
|
|
22 |
+ if (total_colors >= MAX_COLORS) {
|
|
23 |
+ break;
|
|
24 |
+ }
|
|
25 |
char *s = word_string (w);
|
|
26 |
|
|
27 |
if (!strncmp("\\red",s,4)) {
|
|
28 |
@@ -921,7 +924,7 @@ static int
|
|
29 |
cmd_cf (Word *w, int align, char has_param, int num) {
|
|
30 |
char str[40];
|
|
31 |
|
|
32 |
- if (!has_param || num>=total_colors) {
|
|
33 |
+ if (!has_param || num < 0 || num>=total_colors) {
|
|
34 |
warning_handler ("font color change attempted is invalid");
|
|
35 |
}
|
|
36 |
else
|
|
37 |
@@ -948,7 +951,7 @@ static int
|
|
38 |
cmd_cb (Word *w, int align, char has_param, int num) {
|
|
39 |
char str[40];
|
|
40 |
|
|
41 |
- if (!has_param || num>=total_colors) {
|
|
42 |
+ if (!has_param || num < 0 || num>=total_colors) {
|
|
43 |
warning_handler ("font color change attempted is invalid");
|
|
44 |
}
|
|
45 |
else
|
|
46 |
@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
|
|
47 |
{
|
|
48 |
char str[40];
|
|
49 |
|
|
50 |
- if (!has_param || num>=total_colors) {
|
|
51 |
+ if (!has_param || num < 0 || num>=total_colors) {
|
|
52 |
warning_handler ("font background color change attempted is invalid");
|
|
53 |
}
|
|
54 |
else
|