Package list unrtf / ea76d84
check that accesses to color table stay within bounds, esp that the color number is positive. This fixes {\cb-999} crashing unrtf This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15 Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/ Bug-Debian: http://bugs.debian.org/772811 Jean-Francois Dockes authored 6 years ago Willi Mann committed 6 years ago
1 changed file(s) with 6 addition(s) and 3 deletion(s). Raw diff Collapse all Expand all
611611 r=g=b=0;
612612
613613 while(w) {
614 if (total_colors >= MAX_COLORS) {
615 break;
616 }
614617 char *s = word_string (w);
615618
616619 #if 0
670673 cmd_cf (Word *w, int align, char has_param, short num) {
671674 char str[40];
672675
673 if (!has_param || num>=total_colors) {
676 if (!has_param || num < 0 || num>=total_colors) {
674677 warning_handler ("font color change attempted is invalid");
675678 }
676679 else
697700 cmd_cb (Word *w, int align, char has_param, short num) {
698701 char str[40];
699702
700 if (!has_param || num>=total_colors) {
703 if (!has_param || num < 0 || num>=total_colors) {
701704 warning_handler ("font color change attempted is invalid");
702705 }
703706 else
856859 {
857860 char str[40];
858861
859 if (!has_param || num>=total_colors) {
862 if (!has_param || num < 0 || num>=total_colors) {
860863 warning_handler ("font background color change attempted is invalid");
861864 }
862865 else