check that accesses to color table stay within bounds, esp that the color number is positive. This fixes {\cb-999} crashing unrtf
This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
Bug-Debian: http://bugs.debian.org/772811
Jean-Francois Dockes authored 9 years ago
Willi Mann committed 9 years ago
611 | 611 | r=g=b=0; |
612 | 612 | |
613 | 613 | while(w) { |
614 | if (total_colors >= MAX_COLORS) { | |
615 | break; | |
616 | } | |
614 | 617 | char *s = word_string (w); |
615 | 618 | |
616 | 619 | #if 0 |
670 | 673 | cmd_cf (Word *w, int align, char has_param, short num) { |
671 | 674 | char str[40]; |
672 | 675 | |
673 | if (!has_param || num>=total_colors) { | |
676 | if (!has_param || num < 0 || num>=total_colors) { | |
674 | 677 | warning_handler ("font color change attempted is invalid"); |
675 | 678 | } |
676 | 679 | else |
697 | 700 | cmd_cb (Word *w, int align, char has_param, short num) { |
698 | 701 | char str[40]; |
699 | 702 | |
700 | if (!has_param || num>=total_colors) { | |
703 | if (!has_param || num < 0 || num>=total_colors) { | |
701 | 704 | warning_handler ("font color change attempted is invalid"); |
702 | 705 | } |
703 | 706 | else |
856 | 859 | { |
857 | 860 | char str[40]; |
858 | 861 | |
859 | if (!has_param || num>=total_colors) { | |
862 | if (!has_param || num < 0 || num>=total_colors) { | |
860 | 863 | warning_handler ("font background color change attempted is invalid"); |
861 | 864 | } |
862 | 865 | else |