texlive[50773] Build/source/texk/dvipng/dvipng-src: dvi and tfm
commits+karl at tug.org
commits+karl at tug.org
Fri Apr 5 03:43:08 CEST 2019
Revision: 50773
http://tug.org/svn/texlive?view=revision&revision=50773
Author: karl
Date: 2019-04-05 03:43:07 +0200 (Fri, 05 Apr 2019)
Log Message:
-----------
dvi and tfm parsing checks, reports from Andy Nguyen of ETH Zurich (with help from afl-fuzz in one case)
Modified Paths:
--------------
trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
trunk/Build/source/texk/dvipng/dvipng-src/dvi.c
trunk/Build/source/texk/dvipng/dvipng-src/tfm.c
Modified: trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog 2019-04-04 23:43:10 UTC (rev 50772)
+++ trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog 2019-04-05 01:43:07 UTC (rev 50773)
@@ -1,3 +1,12 @@
+2019-04-04 Karl Berry <karl at freefriends.org>
+
+ * tfm.c (ReadTFM): check for reading outside file bounds.
+ Report from Andy Nguyen of ETH Zurich.
+
+ * dvi.c (DVIGetCommand): check for (unsigned value) overflow
+ so we don't fail to realloc buffer if needed.
+ Report from Andy Nguyen of ETH Zurich, found using afl-fuzz.
+
2015-03-01 Jan-\xC5ke Larsson <jan-ake.larsson at liu.se>
* RELEASE: Release 1.15
Modified: trunk/Build/source/texk/dvipng/dvipng-src/dvi.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/dvi.c 2019-04-04 23:43:10 UTC (rev 50772)
+++ trunk/Build/source/texk/dvipng/dvipng-src/dvi.c 2019-04-05 01:43:07 UTC (rev 50773)
@@ -208,6 +208,12 @@
break;
}
if (strlength > 0) { /* Read string */
+ if (strlength == UINT32_MAX
+ || strlength+1 > UINT32_MAX - (uint32_t)length) {
+ /* Have to check else we might not realloc buffer. */
+ Fatal("strlength %u + 1 + length %u would overflow",
+ strlength, (uint32_t)length);
+ }
if (strlength+1 + (uint32_t)length > commlen) {
/* string + command length exceeds that of buffer */
commlen=strlength+1 + (uint32_t)length;
Modified: trunk/Build/source/texk/dvipng/dvipng-src/tfm.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/tfm.c 2019-04-04 23:43:10 UTC (rev 50772)
+++ trunk/Build/source/texk/dvipng/dvipng-src/tfm.c 2019-04-05 01:43:07 UTC (rev 50773)
@@ -36,6 +36,9 @@
("\n OPEN METRICS:\t'%s'", tfmname));
if (MmapFile(tfmname,&fmmap)) return(false);
position=(unsigned char*)fmmap.data;
+ if (fmmap.size < 10) {
+ Fatal("tfm file %s much too short (%u)", tfmname,fmmap.size);
+ }
lh = UNumRead(position+2,2);
bc = UNumRead(position+4,2);
ec = UNumRead(position+6,2);
@@ -45,6 +48,9 @@
if ((width=malloc(nw*sizeof(dviunits)))==NULL)
Fatal("cannot allocate memory for TFM widths");
c=0;
+ if (fmmap.size < 24+(lh+ec-bc+1)*4) {
+ Fatal("tfm file %s ends in width table (size %u)", tfmname,fmmap.size);
+ }
position=position+24+(lh+ec-bc+1)*4;
while( c < nw ) {
width[c] = SNumRead(position,4);
@@ -53,6 +59,9 @@
}
/* Read char widths */
c=bc;
+ if (fmmap.size < 24+lh*4) {
+ Fatal("tfm file %s ends in widths (size %u)", tfmname,fmmap.size);
+ }
position=(unsigned char*)fmmap.data+24+lh*4;
while(c <= ec) {
DEBUG_PRINT(DEBUG_TFM,("\n@%ld TFM METRICS:\t",
@@ -60,13 +69,17 @@
if ((tcharptr=malloc(sizeof(struct char_entry)))==NULL)
Fatal("cannot allocate memory for TFM char entry");
tcharptr->data=NULL;
- tcharptr->tfmw=width[*position];
+ if (*position < nw) {
+ tcharptr->tfmw=width[*position];
+ } else {
+ Fatal("position out of bounds for width %u, char %u",*position,c);
+ }
DEBUG_PRINT(DEBUG_TFM,("%d [%d] %d",c,*position,tcharptr->tfmw));
tcharptr->tfmw = (dviunits)
((int64_t) tcharptr->tfmw * tfontp->s / (1 << 20));
DEBUG_PRINT(DEBUG_TFM,(" (%d)",tcharptr->tfmw));
if (c >= NFNTCHARS) /* Only positive for now */
- Fatal("tfm file %s exceeds char numbering limit",tfmname);
+ Fatal("tfm file %s exceeds char numbering limit %u",tfmname,NFNTCHARS);
tfontp->chr[c] = tcharptr;
c++;
position += 4;
More information about the tex-live-commits
mailing list