From: Victor Wagner <vitus@wagner.pp.ru>
Date: Tue, 26 Apr 2016 04:33:56 +0000 (+0300)
Subject: Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils... 
X-Git-Tag: REL_0_95~14
X-Git-Url: http://www.wagner.pp.ru/gitweb/?p=oss%2Fcatdoc.git;a=commitdiff_plain;h=b89ceec5c7a586c1ad3e4758c4d2fdd160117d27

Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils.c:check_charset to make paranoind static analyzers happy
---

diff --git a/src/fileutil.c b/src/fileutil.c
index 657b022..ce616c2 100644
--- a/src/fileutil.c
+++ b/src/fileutil.c
@@ -104,10 +104,14 @@ int check_charset(char **filename,const char *charset) {
 		return 1;
 	}   
 	tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path);
-	if (tmppath&& *tmppath) {
-		*filename=strdup(charset);
-		free(tmppath);
-		return 1;
+	/* Some compilers evalate both arguments of && before
+	   applying, so let's not use && as in the shell */
+	if (tmppath) {
+	    if (*tmppath) {
+			*filename=strdup(charset);
+			free(tmppath);
+			return 1;
+		}
 	}
 	return 0;
 }
diff --git a/src/rtfread.c b/src/rtfread.c
index 9cb869b..af6be86 100644
--- a/src/rtfread.c
+++ b/src/rtfread.c
@@ -103,6 +103,7 @@ RTFTypeMap rtf_types[]={
 
 #define RTFNAMEMAXLEN 32
 #define RTFARGSMAXLEN 64
+#define MAX_DIGITS_IN_NUMBER 10
 
 /**
  * Structure describing rtf command
@@ -367,9 +368,11 @@ signed long getNumber(FILE *f) {
 	int c,count=0;
 	char buf[RTFARGSMAXLEN];
 	
-	while(isdigit(c=fgetc(f)) || c=='-') {
+	while((isdigit(c=fgetc(f)) || c=='-')) {
 		if(feof(f))
 			return -1;
+		if (count > MAX_DIGITS_IN_NUMBER) 
+			break;
 		buf[count++]=(char)c;
 	}
 	ungetc(c,f);