Package list unrtf / b93e429
Fix CVE-2014-9274: check that accesses to color table stay within bounds Willi Mann 6 years ago
2 changed file(s) with 56 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 From: Jean-Francois Dockes <jfd@recoll.org>
1 Date: Sun, 21 Dec 2014 10:08:26 +0100
2 Subject: check that accesses to color table stay within bounds,
3 esp that the color number is positive. This fixes {\cb-999} crashing
4 unrtf
5
6 This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
7
8 Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
9 Bug-Debian: http://bugs.debian.org/772811
10 ---
11 src/convert.c | 9 ++++++---
12 1 file changed, 6 insertions(+), 3 deletions(-)
13
14 diff --git a/src/convert.c b/src/convert.c
15 index e563473..96bf438 100644
16 --- a/src/convert.c
17 +++ b/src/convert.c
18 @@ -868,6 +868,9 @@ process_color_table (Word *w)
19 r=g=b=0;
20
21 while(w) {
22 + if (total_colors >= MAX_COLORS) {
23 + break;
24 + }
25 char *s = word_string (w);
26
27 if (!strncmp("\\red",s,4)) {
28 @@ -921,7 +924,7 @@ static int
29 cmd_cf (Word *w, int align, char has_param, int num) {
30 char str[40];
31
32 - if (!has_param || num>=total_colors) {
33 + if (!has_param || num < 0 || num>=total_colors) {
34 warning_handler ("font color change attempted is invalid");
35 }
36 else
37 @@ -948,7 +951,7 @@ static int
38 cmd_cb (Word *w, int align, char has_param, int num) {
39 char str[40];
40
41 - if (!has_param || num>=total_colors) {
42 + if (!has_param || num < 0 || num>=total_colors) {
43 warning_handler ("font color change attempted is invalid");
44 }
45 else
46 @@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
47 {
48 char str[40];
49
50 - if (!has_param || num>=total_colors) {
51 + if (!has_param || num < 0 || num>=total_colors) {
52 warning_handler ("font background color change attempted is invalid");
53 }
54 else
0 0001-check-that-accesses-to-color-table-stay-within-bound.patch