...
|
...
|
@@ -65,7 +65,7 @@ struct rtf_state {
|
65
|
65
|
void* cb_data; /* data set up by cb_begin, used by cb_process, and cleaned up by cb_end. typically state data */
|
66
|
66
|
size_t default_elements;
|
67
|
67
|
size_t controlword_cnt;
|
68
|
|
- ssize_t controlword_param;
|
|
68
|
+ int64_t controlword_param;
|
69
|
69
|
enum parse_state parse_state;
|
70
|
70
|
int controlword_param_sign;
|
71
|
71
|
int encounteredTopLevel; /* encountered top-level control words that we care about */
|
...
|
...
|
@@ -643,7 +643,14 @@ int cli_scanrtf(cli_ctx* ctx)
|
643
|
643
|
break;
|
644
|
644
|
case PARSE_CONTROL_WORD_PARAM:
|
645
|
645
|
if (isdigit(*ptr)) {
|
646
|
|
- state.controlword_param = state.controlword_param * 10 + *ptr++ - '0';
|
|
646
|
+ if (((state.controlword_param) > INT64_MAX / 10) ||
|
|
647
|
+ (state.controlword_param * 10 > INT64_MAX - (*ptr - '0'))) {
|
|
648
|
+ cli_dbgmsg("Invalid control word param: maximum size exceeded.\n");
|
|
649
|
+ state.parse_state = PARSE_MAIN;
|
|
650
|
+ } else {
|
|
651
|
+ state.controlword_param = state.controlword_param * 10 + (*ptr - '0');
|
|
652
|
+ ptr++;
|
|
653
|
+ }
|
647
|
654
|
} else if (isalpha(*ptr)) {
|
648
|
655
|
ptr++;
|
649
|
656
|
} else {
|