[tex-k] Potential bugs in TFM loading in TeX

tttex at mailbox.org tttex at mailbox.org
Sun Jan 16 14:43:33 CET 2022 

Dear all,

I would like to report two potential bugs in TeX. Both bugs are part of how TeX reads TFM files:

1. When a TFM file has a design size of at least 1024pt, and it is loaded with a scaling factor of at least 32, TeX will calculate an incorrect size for the font without raising an error message.

This is how this bug can be reproduced:
1. Create a TFM file with a design size of 1024 pt. This can for example be achieved by modifying one of the standard TFM files:
+ $ tftopl cmr10.tfm > bug.pl
+ Change the design size to 1024 pt by substituting (DESIGNSIZE R 10.0) with (DESIGNSIZE R 1024.0) in bug.pl
+ $ pltotf bug.pl > bug.tfm
2. In TeX, load the font with a scaling factor of 32:

This is TeX, Version 3.14159265 (TeX Live 2019/Debian) (preloaded format=tex)
**\font\a=bug scaled 32000

*\show\a
> \a=select font bug at 1000.0pt.

The expected size would by 32768.0pt.

This bug is caused by an unchecked overflow in the call to xn_over_d in module 568 (ARITH_ERROR is not checked after the call).

2. A related bug is triggered when a TFM file with design size of at least 64pt is loaded with scaling factor such that the resulting size exceeds 2048pt but is less than 32768pt. This causes a multiplication overflow which causes TeX to crash.

This is how this bug can be reproduced:
1. Create a TFM file with a design size of 256 pt. This can for example be achieved by modifying one of the standard TFM files:
+ $ tftopl cmr10.tfm > bug.pl
+ Change the design size to 256 pt by substituting (DESIGNSIZE R 10.0) with (DESIGNSIZE R 256.0) in bug.pl
+ $ pltotf bug.pl > bug.tfm
2. In TeX, load the font with a scaling factor of 8:

This is TeX, Version 3.14159265 (TeX Live 2019/Debian) (preloaded format=tex)
**\font\a=bug scaled 8000
Floating point exception (core dumped)

I believe this bug is caused by an overflow in the last multiplication in module 572. The code there makes the assumption that z is less than 2^{27} (as also stated explicitly in module 271) which is not enforced.
I suppose both bugs could be avoided by making the assumption explicit that loading a font with scaling does not create a font size larger or equal to 2048pt and enforcing this when loading a TFM file.

Kind regards,
Tyge Tiessen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-k/attachments/20220116/17ac8342/attachment.html>

More information about the tex-k mailing list.