RTFHandler: protect against CR and bad hexadecimal sequence

In RTF is possible to specify characters with the sequence \'XX being XX an hexadecimal number. With this changeset we guard against incorrect hexadecimal numbers which will be ignored. The other change added is to ignore carriadge returns in plain text.
2026-04-11 16:28:51 +00:00 · 2016-01-27 16:42:19 +01:00
parent 8e80b57d31
commit e5f15f69df
3 changed files with 28 additions and 5 deletions
--- a/OpenChange/RTFHandler.m
+++ b/OpenChange/RTFHandler.m
@@ -608,7 +608,6 @@ static void _init_fontCws_table()
     word and is not part of the control word. */

  end = _bytes;
-
  *len = end-start-1;

  return start+1;
@@ -1250,7 +1249,8 @@ inline static void parseUl(RTFHandler *self, BOOL hasArg, int arg, RTFFormatting
            {
              // A hexadecimal value, based on the specified character set (may be used to identify 8-bit values).
              const char *b1, *b2;
-              unsigned short index;
+              short index;
+              short tmp;

              const unsigned short * active_charset;
              if (formattingOptions && formattingOptions->charset)
@@ -1265,8 +1265,21 @@ inline static void parseUl(RTFHandler *self, BOOL hasArg, int arg, RTFFormatting
              b1 = ADVANCE;
              b2 = ADVANCE;
              
-              index = (isdigit(*b1) ? *b1 - 48 : toupper(*b1) - 55) * 16;
-              index += (isdigit(*b2) ? *b2 - 48 : toupper(*b2) - 55);
+              tmp = (isdigit(*b1) ? *b1 - 48 : toupper(*b1) - 55);
+              if (tmp < 0 || tmp > 16)
+                {
+                  // Incorrect first hexadecimal character. Skipping.
+                  continue;
+                }
+              index = tmp*16;
+
+              tmp = (isdigit(*b2) ? *b2 - 48 : toupper(*b2) - 55);
+              if (tmp < 0 || tmp > 16)
+                {
+                  // Incorrect second hexadecimal character. Skipping.
+                  continue;
+                }              
+              index += tmp;
              
              s = [NSString stringWithCharacters: &(active_charset[index])  length: 1];
              d = [s dataUsingEncoding: NSUTF8StringEncoding];
@@ -1435,7 +1448,7 @@ inline static void parseUl(RTFHandler *self, BOOL hasArg, int arg, RTFFormatting
        {
          c = *_bytes;
          // We avoid appending NULL bytes or endlines
-          if (c && (c != '\n')) 
+          if (c && (c != '\n') && (c != '\r'))
            {
              const unsigned short * active_charset;
              if (formattingOptions && formattingOptions->charset)
--- a/Tests/Unit/Fixtures/bad_hex_and_cr.rtf
+++ b/Tests/Unit/Fixtures/bad_hex_and_cr.rtf
--- a/Tests/Unit/TestRTFHandler.m
+++ b/Tests/Unit/TestRTFHandler.m
@@ -306,4 +306,13 @@
                 againstExpectedHTML: expected];  
 }

+- (void) test_bad_hex_and_cr
+{
+  NSString *file =@"bad_hex_and_cr.rtf";
+  NSString *expected=@"<html><meta charset='utf-8'><body><font face=\"Calibri\"><font face=\"Calibri Cyr\"><font color=\"#000000\">Good hex:H Bad1Hex: Bad2Hex: Ignored Carriadge Return</font></font></font></body></html>";
+
+  [self checkHTMLConversionOfRTFFile: file
+                 againstExpectedHTML: expected];  
+}
+
@end