texlive[50775] Build/source/texk/dvipng/dvipng-src: pk parsing check,

commits+karl at tug.org commits+karl at tug.org
Fri Apr 5 16:13:24 CEST 2019 

Revision: 50775
          http://tug.org/svn/texlive?view=revision&revision=50775
Author:   karl
Date:     2019-04-05 16:13:24 +0200 (Fri, 05 Apr 2019)
Log Message:
-----------
pk parsing check, again from Andy Nguyen of ETH Zurich

Modified Paths:
--------------
    trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
    trunk/Build/source/texk/dvipng/dvipng-src/pk.c

Modified: trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog	2019-04-05 04:36:05 UTC (rev 50774)
+++ trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog	2019-04-05 14:13:24 UTC (rev 50775)
@@ -1,3 +1,8 @@
+2019-04-05  Karl Berry  <karl at freefriends.org>
+
+	* pk.c (InitPK): check for packet_length reading outside file bounds.
+	Report from Andy Nguyen of ETH Zurich.
+	
 2019-04-04  Karl Berry  <karl at freefriends.org>
 
 	* tfm.c (ReadTFM): check for reading outside file bounds.

Modified: trunk/Build/source/texk/dvipng/dvipng-src/pk.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/pk.c	2019-04-05 04:36:05 UTC (rev 50774)
+++ trunk/Build/source/texk/dvipng/dvipng-src/pk.c	2019-04-05 14:13:24 UTC (rev 50775)
@@ -354,15 +354,24 @@
     tcharptr->data = NULL;
     tcharptr->tfmw = 0;
     if ((*position & 7) == 7) {
+      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 9) {
+        Fatal("file too short (%u) for 9-byte packet_length",tfontp->fmmap.size);
+      }
       packet_length = UNumRead(position+1,4);
       c = UNumRead(position+5, 4);
       position += 9;
     } else if (*position & 4) {
+      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 4) {
+        Fatal("file too short (%u) for 4-byte packet_length",tfontp->fmmap.size);
+      }
       packet_length = (*position & 3) * 65536l +
 	UNumRead(position+1, 2);
       c = UNumRead(position+3, 1);
       position += 4;
     } else {
+      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 3) {
+        Fatal("file too short (%u) for 3-byte packet_length",tfontp->fmmap.size);
+      }
       packet_length = (*position & 3) * 256 +
 	UNumRead(position+1, 1);
       c = UNumRead(position+2, 1);

More information about the tex-live-commits mailing list