]> www.wagner.pp.ru Git - oss/catdoc.git/commitdiff
Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils...
authorVictor Wagner <vitus@wagner.pp.ru>
Tue, 26 Apr 2016 04:33:56 +0000 (07:33 +0300)
committerVictor Wagner <vitus@wagner.pp.ru>
Tue, 26 Apr 2016 04:33:56 +0000 (07:33 +0300)
src/fileutil.c
src/rtfread.c

index 657b02252375cf2a9caa7c7b1bccd801c28767a3..ce616c2ea112d170894a7d95dbf7679d00437e1c 100644 (file)
@@ -104,10 +104,14 @@ int check_charset(char **filename,const char *charset) {
                return 1;
        }   
        tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path);
-       if (tmppath&& *tmppath) {
-               *filename=strdup(charset);
-               free(tmppath);
-               return 1;
+       /* Some compilers evalate both arguments of && before
+          applying, so let's not use && as in the shell */
+       if (tmppath) {
+           if (*tmppath) {
+                       *filename=strdup(charset);
+                       free(tmppath);
+                       return 1;
+               }
        }
        return 0;
 }
index 9cb869b05a551c0b012af178c97e7d39c869aba4..af6be86183986317643093fde87f6d03e36be582 100644 (file)
@@ -103,6 +103,7 @@ RTFTypeMap rtf_types[]={
 
 #define RTFNAMEMAXLEN 32
 #define RTFARGSMAXLEN 64
+#define MAX_DIGITS_IN_NUMBER 10
 
 /**
  * Structure describing rtf command
@@ -367,9 +368,11 @@ signed long getNumber(FILE *f) {
        int c,count=0;
        char buf[RTFARGSMAXLEN];
        
-       while(isdigit(c=fgetc(f)) || c=='-') {
+       while((isdigit(c=fgetc(f)) || c=='-')) {
                if(feof(f))
                        return -1;
+               if (count > MAX_DIGITS_IN_NUMBER) 
+                       break;
                buf[count++]=(char)c;
        }
        ungetc(c,f);