texlive[50835] Build/source/texk/dvipng/dvipng-src: updated fixes

commits+karl at tug.org commits+karl at tug.org
Sun Apr 7 03:30:10 CEST 2019


Revision: 50835
          http://tug.org/svn/texlive?view=revision&revision=50835
Author:   karl
Date:     2019-04-07 03:30:09 +0200 (Sun, 07 Apr 2019)
Log Message:
-----------
updated fixes from Jan-Ake from https://savannah.nongnu.org/git/?group=dvipng

Modified Paths:
--------------
    trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
    trunk/Build/source/texk/dvipng/dvipng-src/dvi.c
    trunk/Build/source/texk/dvipng/dvipng-src/pk.c
    trunk/Build/source/texk/dvipng/dvipng-src/tfm.c

Modified: trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog	2019-04-07 01:25:25 UTC (rev 50834)
+++ trunk/Build/source/texk/dvipng/dvipng-src/ChangeLog	2019-04-07 01:30:09 UTC (rev 50835)
@@ -1,10 +1,8 @@
-2019-04-05  Karl Berry  <karl at freefriends.org>
+2019-04-06  Jan-\xC5ke Larsson  <jan-ake.larsson at liu.se>
 
 	* pk.c (InitPK): check for packet_length reading outside file bounds.
 	Report from Andy Nguyen of ETH Zurich.
 	
-2019-04-04  Karl Berry  <karl at freefriends.org>
-
 	* tfm.c (ReadTFM): check for reading outside file bounds.
 	Report from Andy Nguyen of ETH Zurich.
 	

Modified: trunk/Build/source/texk/dvipng/dvipng-src/dvi.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/dvi.c	2019-04-07 01:25:25 UTC (rev 50834)
+++ trunk/Build/source/texk/dvipng/dvipng-src/dvi.c	2019-04-07 01:30:09 UTC (rev 50835)
@@ -18,7 +18,7 @@
   License along with this program. If not, see
   <http://www.gnu.org/licenses/>.
 
-  Copyright (C) 2002-2015 Jan-\xC5ke Larsson
+  Copyright (C) 2002-2015, 2019 Jan-\xC5ke Larsson
 
 ************************************************************************/
 
@@ -208,12 +208,8 @@
     break;
   }
   if (strlength > 0) { /* Read string */
-    if (strlength == UINT32_MAX
-        || strlength+1 > UINT32_MAX - (uint32_t)length) {
-      /* Have to check else we might not realloc buffer. */
-      Fatal("strlength %u + 1 + length %u would overflow",
-            strlength, (uint32_t)length);
-    }
+    if (strlength > UINT32_MAX - (uint32_t)length - 1)
+      Fatal("integer overflow in DVI command length");
     if (strlength+1 + (uint32_t)length > commlen) {
       /* string + command length exceeds that of buffer */
       commlen=strlength+1 + (uint32_t)length;

Modified: trunk/Build/source/texk/dvipng/dvipng-src/pk.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/pk.c	2019-04-07 01:25:25 UTC (rev 50834)
+++ trunk/Build/source/texk/dvipng/dvipng-src/pk.c	2019-04-07 01:30:09 UTC (rev 50835)
@@ -18,7 +18,7 @@
   License along with this program. If not, see
   <http://www.gnu.org/licenses/>.
 
-  Copyright (C) 2002-2009 Jan-\xC5ke Larsson
+  Copyright (C) 2002-2009, 2019 Jan-\xC5ke Larsson
 
 ************************************************************************/
 
@@ -74,20 +74,23 @@
   }
 }
 
-static unsigned char* skip_specials(unsigned char* pos)
+static unsigned char* skip_specials(unsigned char* pos, unsigned char* end)
 {
   uint32_t    i;
 
-  while (*pos >= 240 && *pos != PK_POST) {
+  while (pos < end && *pos >= 240 && *pos != PK_POST) {
     i=0;
     switch (*pos++) {
     case 243:
       i = *pos++;
     case 242:
+      if (pos >= end) break;
       i = 256 * i + *pos++;
     case 241:
+      if (pos >= end) break;
       i = 256 * i + *pos++;
     case 240:
+      if (pos >= end) break;
       i = 256 * i + *pos++;
       DEBUG_PRINT(DEBUG_PK,("\n  PK SPECIAL\t'%.*s' ",(int)i,pos));
       pos += i;
@@ -308,7 +311,7 @@
 
 void InitPK(struct font_entry * tfontp)
 {
-  unsigned char* position;
+  unsigned char* position, *end;
   struct char_entry *tcharptr; /* temporary char_entry pointer  */
   uint32_t    hppp, vppp, packet_length;
   uint32_t    c;
@@ -318,7 +321,7 @@
   if (MmapFile(tfontp->name,&(tfontp->fmmap)))
     Fatal("font file %s unusable", tfontp->name);
   position=(unsigned char*)tfontp->fmmap.data;
-  if (tfontp->fmmap.size < 2 || tfontp->fmmap.size < 3+*(position+2)+16)
+  if (tfontp->fmmap.size < 3 || tfontp->fmmap.size < 3+*(position+2)+16)
     Fatal("PK file %s ends prematurely",tfontp->name);
   if (*position++ != PK_PRE)
     Fatal("unknown font format in file %s",tfontp->name);
@@ -344,8 +347,9 @@
   tfontp->magnification = (uint32_t)((uint64_t)hppp * 7227 * 5 / 65536l + 50)/100;
   position+=16;
   /* Read char definitions */
-  position = skip_specials(position);
-  while (*position != PK_POST) {
+  end=(unsigned char *) tfontp->fmmap.data+tfontp->fmmap.size;
+  position = skip_specials(position,end);
+  while (position < end && *position != PK_POST) {
     DEBUG_PRINT(DEBUG_PK,("\n  @%ld PK CHAR:\t%d",
 			  (long)((char *)position - tfontp->fmmap.data), *position));
     if ((tcharptr = malloc(sizeof(struct char_entry))) == NULL)
@@ -354,24 +358,18 @@
     tcharptr->data = NULL;
     tcharptr->tfmw = 0;
     if ((*position & 7) == 7) {
-      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 9) {
-        Fatal("file too short (%u) for 9-byte packet_length",tfontp->fmmap.size);
-      }
+      if (position < end - 9) Fatal("PK file %s ends prematurely",tfontp->name);
       packet_length = UNumRead(position+1,4);
       c = UNumRead(position+5, 4);
       position += 9;
     } else if (*position & 4) {
-      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 4) {
-        Fatal("file too short (%u) for 4-byte packet_length",tfontp->fmmap.size);
-      }
+      if (position < end - 4) Fatal("PK file %s ends prematurely",tfontp->name);
       packet_length = (*position & 3) * 65536l +
 	UNumRead(position+1, 2);
       c = UNumRead(position+3, 1);
       position += 4;
     } else {
-      if (tfontp->fmmap.size < (char *)position-tfontp->fmmap.data + 3) {
-        Fatal("file too short (%u) for 3-byte packet_length",tfontp->fmmap.size);
-      }
+      if (position < end - 3) Fatal("PK file %s ends prematurely",tfontp->name);
       packet_length = (*position & 3) * 256 +
 	UNumRead(position+1, 1);
       c = UNumRead(position+2, 1);
@@ -383,14 +381,10 @@
   tcharptr->length = packet_length;
   tcharptr->pkdata = position;
   tfontp->chr[c]=tcharptr;
-  if (tfontp->fmmap.size
-      < (char *)position-tfontp->fmmap.data + packet_length) {
-    Fatal("file too short (%u) to read past packet_length %u",
-          tfontp->fmmap.size, packet_length);
-  }
   position += packet_length;
-  position = skip_specials(position);
+  position = skip_specials(position, end);
   }
+  if (position >= end) Fatal("PK file %s ends prematurely",tfontp->name);
 }
 
 static void UnLoadPK(struct char_entry *ptr)

Modified: trunk/Build/source/texk/dvipng/dvipng-src/tfm.c
===================================================================
--- trunk/Build/source/texk/dvipng/dvipng-src/tfm.c	2019-04-07 01:25:25 UTC (rev 50834)
+++ trunk/Build/source/texk/dvipng/dvipng-src/tfm.c	2019-04-07 01:30:09 UTC (rev 50835)
@@ -18,7 +18,7 @@
   License along with this program. If not, see
   <http://www.gnu.org/licenses/>.
 
-  Copyright (C) 2002-2009 Jan-\xC5ke Larsson
+  Copyright (C) 2002-2009, 2019 Jan-\xC5ke Larsson
 
 ************************************************************************/
 
@@ -36,9 +36,7 @@
 	      ("\n  OPEN METRICS:\t'%s'", tfmname));
   if (MmapFile(tfmname,&fmmap)) return(false);
   position=(unsigned char*)fmmap.data;
-  if (fmmap.size < 10) {
-    Fatal("tfm file %s much too short (%u)", tfmname,fmmap.size);
-  }
+  if (fmmap.size<10) Fatal("TFM file %s ends prematurely",tfmname);
   lh = UNumRead(position+2,2);
   bc = UNumRead(position+4,2);
   ec = UNumRead(position+6,2);
@@ -45,14 +43,13 @@
   nw = UNumRead(position+8,2);
   DEBUG_PRINT(DEBUG_TFM,(" %d %d %d %d",lh,bc,ec,nw));
   if (nw>0) {
+    unsigned char *end=(unsigned char *) fmmap.data+fmmap.size;
     if ((width=malloc(nw*sizeof(dviunits)))==NULL)
       Fatal("cannot allocate memory for TFM widths");
     c=0;
-    if (fmmap.size < 24+(lh+ec-bc+1)*4) {
-      Fatal("tfm file %s ends in width table (size %u)", tfmname,fmmap.size);
-    }
     position=position+24+(lh+ec-bc+1)*4;
     while( c < nw ) {
+      if (position >= end - 4) Fatal("TFM file %s ends prematurely",tfmname);
       width[c] = SNumRead(position,4);
       c++;
       position += 4;
@@ -59,11 +56,9 @@
     }
     /* Read char widths */
     c=bc;
-    if (fmmap.size < 24+lh*4) {
-      Fatal("tfm file %s ends in widths (size %u)", tfmname,fmmap.size);
-    }
     position=(unsigned char*)fmmap.data+24+lh*4;
     while(c <= ec) {
+      if (position >= end) Fatal("TFM file %s ends prematurely",tfmname);
       DEBUG_PRINT(DEBUG_TFM,("\n@%ld TFM METRICS:\t",
 			     (long)((char *)position - fmmap.data)));
       if ((tcharptr=malloc(sizeof(struct char_entry)))==NULL)
@@ -72,7 +67,7 @@
       if (*position < nw) {
         tcharptr->tfmw=width[*position];
       } else {
-        Fatal("position out of bounds for width %u, char %u",*position,c);
+        Fatal("TFM file %s lacks width for char %u", tfmname, *position);
       }
       DEBUG_PRINT(DEBUG_TFM,("%d [%d] %d",c,*position,tcharptr->tfmw));
       tcharptr->tfmw = (dviunits)



More information about the tex-live-commits mailing list