texlive[48697] Build/source/texk: writet1 protection against buffer

[commits+preining at tug.org]

Revision: 48697
          http://tug.org/svn/texlive?view=revision&revision=48697
Author:   preining
Date:     2018-09-19 06:02:06 +0200 (Wed, 19 Sep 2018)
Log Message:
-----------
writet1 protection against buffer overflow

Modified Paths:
--------------
    trunk/Build/source/texk/dvipsk/ChangeLog
    trunk/Build/source/texk/dvipsk/writet1.c
    trunk/Build/source/texk/web2c/luatexdir/ChangeLog
    trunk/Build/source/texk/web2c/luatexdir/font/writet1.c
    trunk/Build/source/texk/web2c/pdftexdir/ChangeLog
    trunk/Build/source/texk/web2c/pdftexdir/writet1.c

Modified: trunk/Build/source/texk/dvipsk/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipsk/ChangeLog	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/dvipsk/ChangeLog	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1,3 +1,8 @@
+2018-09-18  Nick Roessler  <nicholas.e.roessler at gmail.com>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2018-04-14  Karl Berry  <karl at tug.org>
 
 	* Version 5.998 for TeX Live 2018 release.

Modified: trunk/Build/source/texk/dvipsk/writet1.c
===================================================================
--- trunk/Build/source/texk/dvipsk/writet1.c	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/dvipsk/writet1.c	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1449,7 +1449,9 @@
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }

Modified: trunk/Build/source/texk/web2c/luatexdir/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/luatexdir/ChangeLog	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/web2c/luatexdir/ChangeLog	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1,3 +1,7 @@
+2018-09-18 Nick Roessler <nicholas.e.roessler at gmail.com>
+	* fonts/writet1.w (t1_check_unusual_charstring): protect against
+	buffer overflow.
+
 2018-08-27 Luigi Scarso <luigi.scarso at gmail.com>
 	* dropped dependency from gmp and mpfr
 

Modified: trunk/Build/source/texk/web2c/luatexdir/font/writet1.c
===================================================================
--- trunk/Build/source/texk/web2c/luatexdir/font/writet1.c	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/web2c/luatexdir/font/writet1.c	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1581,7 +1581,9 @@
     if (sscanf(p, "%i", &i) != 1) {
         strcpy(t1_buf_array, t1_line_array);
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }

Modified: trunk/Build/source/texk/web2c/pdftexdir/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/pdftexdir/ChangeLog	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/web2c/pdftexdir/ChangeLog	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1,3 +1,8 @@
+2018-09-18  Nick Roessler  <nicholas.e.roessler at gmail.com>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2018-09-09  Karl Berry  <karl at tug.org>
 
 	* expanded.test,

Modified: trunk/Build/source/texk/web2c/pdftexdir/writet1.c
===================================================================
--- trunk/Build/source/texk/web2c/pdftexdir/writet1.c	2018-09-19 03:32:50 UTC (rev 48696)
+++ trunk/Build/source/texk/web2c/pdftexdir/writet1.c	2018-09-19 04:02:06 UTC (rev 48697)
@@ -1598,7 +1598,9 @@
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }