From b89ceec5c7a586c1ad3e4758c4d2fdd160117d27 Mon Sep 17 00:00:00 2001 From: Victor Wagner Date: Tue, 26 Apr 2016 07:33:56 +0300 Subject: [PATCH] Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils.c:check_charset to make paranoind static analyzers happy --- src/fileutil.c | 12 ++++++++---- src/rtfread.c | 5 ++++- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/fileutil.c b/src/fileutil.c index 657b022..ce616c2 100644 --- a/src/fileutil.c +++ b/src/fileutil.c @@ -104,10 +104,14 @@ int check_charset(char **filename,const char *charset) { return 1; } tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path); - if (tmppath&& *tmppath) { - *filename=strdup(charset); - free(tmppath); - return 1; + /* Some compilers evalate both arguments of && before + applying, so let's not use && as in the shell */ + if (tmppath) { + if (*tmppath) { + *filename=strdup(charset); + free(tmppath); + return 1; + } } return 0; } diff --git a/src/rtfread.c b/src/rtfread.c index 9cb869b..af6be86 100644 --- a/src/rtfread.c +++ b/src/rtfread.c @@ -103,6 +103,7 @@ RTFTypeMap rtf_types[]={ #define RTFNAMEMAXLEN 32 #define RTFARGSMAXLEN 64 +#define MAX_DIGITS_IN_NUMBER 10 /** * Structure describing rtf command @@ -367,9 +368,11 @@ signed long getNumber(FILE *f) { int c,count=0; char buf[RTFARGSMAXLEN]; - while(isdigit(c=fgetc(f)) || c=='-') { + while((isdigit(c=fgetc(f)) || c=='-')) { if(feof(f)) return -1; + if (count > MAX_DIGITS_IN_NUMBER) + break; buf[count++]=(char)c; } ungetc(c,f); -- 2.39.5