Control: tags -1 + patch
Hi Willi
Attached are two patches separated per CVEs.
Regards,
Salvatore
Description: CVE-2014-9274: out-of-bounds memory access
UnRTF allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code as demonstrated by a file containing
the string "{\cb-999999999".
Origin: upstream, https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a
Bug-Debian: https://bugs.debian.org/772811
Forwarded: no
Author: Jean-Francois Dockes <j...@recoll.org>
Last-Update: 2014-12-21
--- a/src/convert.c
+++ b/src/convert.c
@@ -868,6 +868,9 @@ process_color_table (Word *w)
r=g=b=0;
while(w) {
+ if (total_colors >= MAX_COLORS) {
+ break;
+ }
char *s = word_string (w);
if (!strncmp("\\red",s,4)) {
@@ -921,7 +924,7 @@ static int
cmd_cf (Word *w, int align, char has_param, int num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -948,7 +951,7 @@ static int
cmd_cb (Word *w, int align, char has_param, int num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char
{
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font background color change attempted is invalid");
}
else
Description: CVE-2014-9275: out-of-bounds memory access
UnRTF allows remote attackers to cause a denial of service
(out-of-bounds memory access and crash) and possibly execute arbitrary
code via a crafted RTF file.
Origin: upstream, https://bitbucket.org/medoc/unrtf-int/commits/1df886f2e65f7c512a6217588ae8d94d4bcbc63d,
https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3
Bug-Debian: https://bugs.debian.org/772811
Forwarded: no
Author: Jean-Francois Dockes <j...@recoll.org>
Last-Update: 2014-12-21
--- a/src/hash.c
+++ b/src/hash.c
@@ -133,8 +133,8 @@ hashitem_new (char *str)
hi->str = my_strdup(str);
- i = *str;
- if (i=='\\') i=str[1];
+ i = (unsigned char)*str;
+ if (i=='\\') i=(unsigned char)str[1];
i <<= 24;
hi->value = i | (hash_value++ & 0xffffff);
hi->next = NULL;
--- a/src/convert.c
+++ b/src/convert.c
@@ -278,6 +278,8 @@ word_dump_date (Word *w)
CHECK_PARAM_NOT_NULL(w);
while (w) {
char *s = word_string (w);
+ if (!s)
+ return;
if (*s == '\\') {
++s;
if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
@@ -524,6 +526,8 @@ process_font_table (Word *w)
if ((w2 = w->child)) {
tmp = word_string(w2);
+ if (!tmp)
+ break;
if (!strncmp("\\f", tmp, 2)) {
num = atoi(&tmp[2]);
name[0] = 0;
@@ -704,7 +708,8 @@ process_info_group (Word *w)
char *s;
s = word_string(child);
-
+ if (!s)
+ return;
if (!inline_mode) {
if (!strcmp("\\title", s)) {
@@ -712,11 +717,11 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
{
print_with_special_exprs (s2);
}
- else
+ else if (s2)
{
if (s2[1] == '\'')
{
@@ -735,7 +740,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s,", s2);
w2 = w2->next;
}
@@ -746,7 +751,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s", s2);
w2 = w2->next;
}
@@ -758,7 +763,7 @@ process_info_group (Word *w)
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf("%s", s2);
w2 = w2->next;
}
@@ -868,11 +873,10 @@ process_color_table (Word *w)
r=g=b=0;
while(w) {
- if (total_colors >= MAX_COLORS) {
+ char *s = word_string (w);
+ if (s == 0 || total_colors >= MAX_COLORS) {
break;
}
- char *s = word_string (w);
-
if (!strncmp("\\red",s,4)) {
r = atoi(&s[4]);
while(r>255) r>>=8;
@@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_
char *s;
s = word_string(child);
+ if (!s)
+ return FALSE;
#if 1 /* daved experimenting with fldrslt */
if(!strcmp("\\fldrslt", s))
return FALSE;
@@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_
if (s && !strcmp(s, "SYMBOL") )
{
w4=w3->next;
- while(w4 && !strcmp(word_string(w4), " "))
+ while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
w4 = w4->next;
s4 = word_string(w4);
if (s4)
@@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_
Word *w4;
char *s4;
w4=w3->next;
- while (w4 && !strcmp(" ", word_string(w4)))
+ while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
w4=w4->next;
if (w4) {
s4=word_string(w4);
