check that accesses to color table stay within bounds, esp that the color number is positive. This fixes {\cb-999} crashing unrtf
This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
Bug-Debian: http://bugs.debian.org/772811
Jean-Francois Dockes authored 9 years ago
Willi Mann committed 9 years ago
| 611 | 611 | r=g=b=0; |
| 612 | 612 | |
| 613 | 613 | while(w) { |
| 614 | if (total_colors >= MAX_COLORS) { | |
| 615 | break; | |
| 616 | } | |
| 614 | 617 | char *s = word_string (w); |
| 615 | 618 | |
| 616 | 619 | #if 0 |
| 670 | 673 | cmd_cf (Word *w, int align, char has_param, short num) { |
| 671 | 674 | char str[40]; |
| 672 | 675 | |
| 673 | if (!has_param || num>=total_colors) { | |
| 676 | if (!has_param || num < 0 || num>=total_colors) { | |
| 674 | 677 | warning_handler ("font color change attempted is invalid"); |
| 675 | 678 | } |
| 676 | 679 | else |
| 697 | 700 | cmd_cb (Word *w, int align, char has_param, short num) { |
| 698 | 701 | char str[40]; |
| 699 | 702 | |
| 700 | if (!has_param || num>=total_colors) { | |
| 703 | if (!has_param || num < 0 || num>=total_colors) { | |
| 701 | 704 | warning_handler ("font color change attempted is invalid"); |
| 702 | 705 | } |
| 703 | 706 | else |
| 856 | 859 | { |
| 857 | 860 | char str[40]; |
| 858 | 861 | |
| 859 | if (!has_param || num>=total_colors) { | |
| 862 | if (!has_param || num < 0 || num>=total_colors) { | |
| 860 | 863 | warning_handler ("font background color change attempted is invalid"); |
| 861 | 864 | } |
| 862 | 865 | else |