]> www.wagner.pp.ru Git - oss/catdoc.git/commitdiff
projects / oss / catdoc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a79f237)
Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils...
authorVictor Wagner <vitus@wagner.pp.ru>
Tue, 26 Apr 2016 04:33:56 +0000 (07:33 +0300)
committerVictor Wagner <vitus@wagner.pp.ru>
Tue, 26 Apr 2016 04:33:56 +0000 (07:33 +0300)
src/fileutil.c patch | blob | history
src/rtfread.c patch | blob | history

diff --git a/src/fileutil.c b/src/fileutil.c
index 657b02252375cf2a9caa7c7b1bccd801c28767a3..ce616c2ea112d170894a7d95dbf7679d00437e1c 100644 (file)
--- a/src/fileutil.c
+++ b/src/fileutil.c
@@ -104,10 +104,14 @@ int check_charset(char **filename,const char *charset) {
                return 1;
        }   
        tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path);
                return 1;
        }   
        tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path);
-       if (tmppath&& *tmppath) {
-               *filename=strdup(charset);
-               free(tmppath);
-               return 1;
+       /* Some compilers evalate both arguments of && before
+          applying, so let's not use && as in the shell */
+       if (tmppath) {
+           if (*tmppath) {
+                       *filename=strdup(charset);
+                       free(tmppath);
+                       return 1;
+               }
        }
        return 0;
 }
        }
        return 0;
 }
diff --git a/src/rtfread.c b/src/rtfread.c
index 9cb869b05a551c0b012af178c97e7d39c869aba4..af6be86183986317643093fde87f6d03e36be582 100644 (file)
--- a/src/rtfread.c
+++ b/src/rtfread.c
@@ -103,6 +103,7 @@ RTFTypeMap rtf_types[]={
 
 #define RTFNAMEMAXLEN 32
 #define RTFARGSMAXLEN 64
 
 #define RTFNAMEMAXLEN 32
 #define RTFARGSMAXLEN 64
+#define MAX_DIGITS_IN_NUMBER 10
 
 /**
  * Structure describing rtf command
 
 /**
  * Structure describing rtf command
@@ -367,9 +368,11 @@ signed long getNumber(FILE *f) {
        int c,count=0;
        char buf[RTFARGSMAXLEN];
        
        int c,count=0;
        char buf[RTFARGSMAXLEN];
        
-       while(isdigit(c=fgetc(f)) || c=='-') {
+       while((isdigit(c=fgetc(f)) || c=='-')) {
                if(feof(f))
                        return -1;
                if(feof(f))
                        return -1;
+               if (count > MAX_DIGITS_IN_NUMBER) 
+                       break;
                buf[count++]=(char)c;
        }
        ungetc(c,f);
                buf[count++]=(char)c;
        }
        ungetc(c,f);
catdoc - convert an MS-Office files to text