texlive[45594] Build/source/texk/kpathsea: avoid potential buffer

commits+karl at tug.org commits+karl at tug.org
Wed Oct 25 01:35:22 CEST 2017 

Revision: 45594
          http://tug.org/svn/texlive?view=revision&revision=45594
Author:   karl
Date:     2017-10-25 01:35:22 +0200 (Wed, 25 Oct 2017)
Log Message:
-----------
avoid potential buffer overrun on erroneous input, and rework test

Modified Paths:
--------------
    trunk/Build/source/texk/kpathsea/ChangeLog
    trunk/Build/source/texk/kpathsea/expand.c

Modified: trunk/Build/source/texk/kpathsea/ChangeLog
===================================================================
--- trunk/Build/source/texk/kpathsea/ChangeLog	2017-10-24 22:11:52 UTC (rev 45593)
+++ trunk/Build/source/texk/kpathsea/ChangeLog	2017-10-24 23:35:22 UTC (rev 45594)
@@ -1,3 +1,9 @@
+2017-10-25  Karl Berry  <karl at tug.org>
+
+	* expand.c (brace_expand): do not look past the terminating
+	null with bad input like "a{\0whatever".
+	From Doug McKenna, personal mail, 23oct17.
+
 2017-09-22  Akira Kakuto  <kakuto at fuk.kindai.ac.jp>
 
 	* tex-file.c: Use a standard API function GetLongPathName()

Modified: trunk/Build/source/texk/kpathsea/expand.c
===================================================================
--- trunk/Build/source/texk/kpathsea/expand.c	2017-10-24 22:11:52 UTC (rev 45593)
+++ trunk/Build/source/texk/kpathsea/expand.c	2017-10-24 23:35:22 UTC (rev 45594)
@@ -335,6 +335,8 @@
             /* Check for missing closing brace. */
             if (*p != '}') {
                 WARNING1 ("kpathsea: %s: Unmatched {", *text);
+                --p; /* undo ++p above for the next iteration,
+                        to avoid potential buffer overrun */
             }
             *text = p+1;
         } else if (*p == '$') {
@@ -373,20 +375,25 @@
   fprintf (stderr, "\n");
 }
 
+int
 main (int argc, char **argv)
 {
   char example[256];
+  char *result;
+
   kpse_set_program_name(argv[0], NULL);
+  result = kpse_brace_expand ("a{\0exebad");
+  printf ("%s\n", result);
 
+#if 0 /* if you want an interactive loop */
   for (;;)
     {
-      char *result;
       int i;
 
       fprintf (stderr, "brace_expand> ");
 
-      if ((!fgets (example, 256, stdin)) ||
-          (strncmp (example, "quit", 4) == 0))
+      if ((!fgets (example, 256, stdin))
+          || strncmp (example, "quit", 4) == 0)
         break;
 
       if (strlen (example))
@@ -393,10 +400,11 @@
         example[strlen (example) - 1] = 0;
 
       result = kpse_brace_expand (example);
+      printf ("%s\n", result);
+    }
+#endif
+  return 0;
 
-        printf ("%s\n", result);
-
-    }
 }
 

 
@@ -404,6 +412,6 @@
 
 /*
 Local variables:
-standalone-compile-command: "gcc -g -I. -I.. -DTEST expand.c kpathsea.a"
+standalone-compile-command: "gcc -g -DMAKE_KPSE_DLL -I. -I.. -I$kp -I$kp/.. -DTEST $kp/expand.c .libs/libkpathsea.a"
 end:
 */

More information about the tex-live-commits mailing list