[tex-k] Potential bugs in TFM loading in TeX

Karl Berry karl at freefriends.org
Sat Jan 22 22:44:09 CET 2022


    Subject: [tex-k] Potential bugs in TFM loading in TeX

Thanks for the reports. We think it is the same underlying cause as what
Igor reported in https://tug.org/pipermail/tex-k/2021-June/003604.html
but I'll check further when I can.

If anyone else is interested in implementing overflow checks, David
Fuchs wrote the following about the earlier report. --thanks, karl.

From: David Fuchs

[...]

Yes, since beta is zero, I also get a divide-by-zero on

  sw:=(((((d*z)div@'400)+(c*z))div@'400)+(b*z))div beta;

But the actual problem is way earlier, since beta shouldn't even be able
to be zero to begin with:

@!alpha:integer;@!beta:1..16;

Looking down in <Replace |z|...> it seems that alpha got all the way to
512, so when it does

beta:=256 div alpha;

the assignment to beta is out of the expected range and read_font_info
fails here if range-checking is on.

So, new_font does <Scan the font size specification> which was supposed
to have checked for too-big magnification.  It gets it right for
"at-size", but there's no way it can see if the "scaled" value is too
big, since it depends on the design-size found in the tfm, which it
hasn't read yet.  So, that check would have to happen later, when it
calls read_font_info, and learns the design-size.  Perhaps in <Read the
{\.{TFM}} header> can check that z isn't too big just before it does
font_size[f]:=z;

That all said, I'm thinking this is not an oversight, but as you
suggest, a case of "don't do that; you get what you deserve" like the
integer-overflow cases.  -drf


More information about the tex-k mailing list.