Abort on rtf keywords with negative skip count params

FenPhoenix · Feb 23, 2024 · 9ffe506 · 9ffe506
1 parent c162df5
commit 9ffe506
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 4 deletions.
diff --git a/AL_Common/RTF/RTFParserCommon.cs b/AL_Common/RTF/RTFParserCommon.cs
@@ -1006,7 +1006,11 @@ public enum RtfError
         /// <summary>
         /// A symbol table entry was malformed. Possibly one of its enum values was out of range.
         /// </summary>
-        InvalidSymbolTableEntry
+        InvalidSymbolTableEntry,
+        /// <summary>
+        /// The rtf is malformed in such a way that it might be unsafe to continue parsing it (infinite loops, stack overflows, etc.)
+        /// </summary>
+        AbortedForSafety
     }
 
     #endregion

diff --git a/AL_Common/RTF/RtfDisplayedReadmeParser.cs b/AL_Common/RTF/RtfDisplayedReadmeParser.cs
@@ -178,6 +178,7 @@ private RtfError DispatchSpecialKeyword(SpecialType specialType, Symbol symbol,
         {
             case SpecialType.SkipNumberOfBytes:
                 if (symbol.UseDefaultParam) param = symbol.DefaultParam;
+                if (param < 0) return RtfError.AbortedForSafety;
                 CurrentPos += param;
                 break;
             case SpecialType.SkipDest:

diff --git a/AL_Common/RTF/RtfDisplayedReadmeParser_DupeDest.Generated.cs b/AL_Common/RTF/RtfDisplayedReadmeParser_DupeDest.Generated.cs
@@ -133,7 +133,7 @@ private RtfError HandleSkippableHexData()
     {
         // Prevent stack overflow from maliciously-crafted rtf files - we should never recurse back into here in
         // a spec-conforming file.
-        if (_inHandleSkippableHexData) return RtfError.StackOverflow;
+        if (_inHandleSkippableHexData) return RtfError.AbortedForSafety;
         _inHandleSkippableHexData = true;
 
         int startGroupLevel = _ctx.GroupStack.Count;

diff --git a/AL_Common/RTF/RtfToTextConverter.cs b/AL_Common/RTF/RtfToTextConverter.cs
@@ -1076,6 +1076,7 @@ private RtfError DispatchSpecialKeyword(SpecialType specialType, Symbol symbol,
         {
             case SpecialType.SkipNumberOfBytes:
                 if (symbol.UseDefaultParam) param = symbol.DefaultParam;
+                if (param < 0) return RtfError.AbortedForSafety;
                 CurrentPos += param;
                 break;
             case SpecialType.HexEncodedChar:
@@ -1110,7 +1111,7 @@ private unsafe RtfError HandleFontTable()
     {
         // Prevent stack overflow from maliciously-crafted rtf files - we should never recurse back into here in
         // a spec-conforming file.
-        if (_inHandleFontTable) return RtfError.StackOverflow;
+        if (_inHandleFontTable) return RtfError.AbortedForSafety;
         _inHandleFontTable = true;
 
         int fontTableGroupLevel = _ctx.GroupStack.Count;

diff --git a/AL_Common/RTF/RtfToTextConverter_DupeSource.cs b/AL_Common/RTF/RtfToTextConverter_DupeSource.cs
@@ -132,7 +132,7 @@ private RtfError HandleSkippableHexData()
     {
         // Prevent stack overflow from maliciously-crafted rtf files - we should never recurse back into here in
         // a spec-conforming file.
-        if (_inHandleSkippableHexData) return RtfError.StackOverflow;
+        if (_inHandleSkippableHexData) return RtfError.AbortedForSafety;
         _inHandleSkippableHexData = true;
 
         int startGroupLevel = _ctx.GroupStack.Count;