From: Victor Wagner Date: Tue, 26 Apr 2016 04:33:56 +0000 (+0300) Subject: Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils... X-Git-Tag: REL_0_95~14 X-Git-Url: http://wagner.pp.ru/gitweb/?a=commitdiff_plain;h=b89ceec5c7a586c1ad3e4758c4d2fdd160117d27;p=oss%2Fcatdoc.git Fix vulnerability in rtfread.c:getNumber. Rewrote null pointer check in fileutils.c:check_charset to make paranoind static analyzers happy --- diff --git a/src/fileutil.c b/src/fileutil.c index 657b022..ce616c2 100644 --- a/src/fileutil.c +++ b/src/fileutil.c @@ -104,10 +104,14 @@ int check_charset(char **filename,const char *charset) { return 1; } tmppath=find_file(stradd(charset,CHARSET_EXT),charset_path); - if (tmppath&& *tmppath) { - *filename=strdup(charset); - free(tmppath); - return 1; + /* Some compilers evalate both arguments of && before + applying, so let's not use && as in the shell */ + if (tmppath) { + if (*tmppath) { + *filename=strdup(charset); + free(tmppath); + return 1; + } } return 0; } diff --git a/src/rtfread.c b/src/rtfread.c index 9cb869b..af6be86 100644 --- a/src/rtfread.c +++ b/src/rtfread.c @@ -103,6 +103,7 @@ RTFTypeMap rtf_types[]={ #define RTFNAMEMAXLEN 32 #define RTFARGSMAXLEN 64 +#define MAX_DIGITS_IN_NUMBER 10 /** * Structure describing rtf command @@ -367,9 +368,11 @@ signed long getNumber(FILE *f) { int c,count=0; char buf[RTFARGSMAXLEN]; - while(isdigit(c=fgetc(f)) || c=='-') { + while((isdigit(c=fgetc(f)) || c=='-')) { if(feof(f)) return -1; + if (count > MAX_DIGITS_IN_NUMBER) + break; buf[count++]=(char)c; } ungetc(c,f);