texlive[50645] Build/source/texk/dvipdfm-x: fix security problem

[commits+kakuto at tug.org]

Revision: 50645
          http://tug.org/svn/texlive?view=revision&revision=50645
Author:   kakuto
Date:     2019-03-29 23:13:05 +0100 (Fri, 29 Mar 2019)
Log Message:
-----------
fix security problem reported by Andy Nguyen

Modified Paths:
--------------
    trunk/Build/source/texk/dvipdfm-x/ChangeLog
    trunk/Build/source/texk/dvipdfm-x/spc_pdfm.c
    trunk/Build/source/texk/dvipdfm-x/spc_xtx.c
    trunk/Build/source/texk/dvipdfm-x/specials.c

Modified: trunk/Build/source/texk/dvipdfm-x/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/ChangeLog	2019-03-29 21:18:52 UTC (rev 50644)
+++ trunk/Build/source/texk/dvipdfm-x/ChangeLog	2019-03-29 22:13:05 UTC (rev 50645)
@@ -1,3 +1,14 @@
+2019-03-30  Akira Kakuto  <kakuto at w32tex.org>
+
+	* spc_xtx.c: "ap->curptr" was copied to "buffer" without
+	length validation. Fix this security problem.
+	* spc_pdfm.c: "ap->curptr" was copied to "buffer" without
+	length validation. Fix this security problem.
+	* specials.c: Error message was written using vsprintf(),
+	which has no length limitation. Use vsnprintf() instead.
+
+	Report from Andy Nguyen of ETH Zurich.
+
 2019-03-05  Clerk Ma  <maqiyuan130324 at vip.qq.com>
 
 	* tt_table.c: Fix 'null character(s)' warning caused by

Modified: trunk/Build/source/texk/dvipdfm-x/spc_pdfm.c
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/spc_pdfm.c	2019-03-29 21:18:52 UTC (rev 50644)
+++ trunk/Build/source/texk/dvipdfm-x/spc_pdfm.c	2019-03-29 22:13:05 UTC (rev 50645)
@@ -1764,6 +1764,7 @@
   return  error;
 }
 
+#define THEBUFFLENGTH 1024
 static int
 spc_handler_pdfm_mapline (struct spc_env *spe, struct spc_arg *ap)
 {
@@ -1770,9 +1771,10 @@
   fontmap_rec *mrec;
   char        *map_name, opchr;
   int          error = 0;
-  static char  buffer[1024];
+  static char  buffer[THEBUFFLENGTH];
   const char  *p;
   char        *q;
+  int         count;
 
   skip_white(&ap->curptr, ap->endptr);
   if (ap->curptr >= ap->endptr) {
@@ -1800,8 +1802,13 @@
   default:
     p = ap->curptr;
     q = buffer;
-    while (p < ap->endptr)
+    count = 0;
+    while (p < ap->endptr && count < THEBUFFLENGTH - 1) {
       *q++ = *p++;
+      count++;
+    }
+    if (count == THEBUFFLENGTH - 1)
+      spc_warn(spe, "Too long a fontmap line.");
     *q = '\0';
     mrec = NEW(1, fontmap_rec);
     pdf_init_fontmap_record(mrec);

Modified: trunk/Build/source/texk/dvipdfm-x/spc_xtx.c
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/spc_xtx.c	2019-03-29 21:18:52 UTC (rev 50644)
+++ trunk/Build/source/texk/dvipdfm-x/spc_xtx.c	2019-03-29 22:13:05 UTC (rev 50645)
@@ -1,7 +1,7 @@
 /*  This is xdvipdfmx, an extended version of dvipdfmx,
     an eXtended version of dvipdfm by Mark A. Wicks.
 
-    Copyright (C) 2013-2016 by the dvipdfmx project team.
+    Copyright (C) 2013-2019 by the dvipdfmx project team.
 
     Copyright (c) 2006 SIL International
     Originally written by Jonathan Kew
@@ -195,6 +195,7 @@
 }
 
 /* FIXME: xdv2pdf's x:fontmapline and x:fontmapfile may have slightly different syntax/semantics */
+#define THEBUFFLENGTH 1024
 static int
 spc_handler_xtx_fontmapline (struct spc_env *spe, struct spc_arg *ap)
 {
@@ -201,9 +202,10 @@
   fontmap_rec *mrec;
   char        *map_name, opchr;
   int          error = 0;
-  static char  buffer[1024];
+  static char  buffer[THEBUFFLENGTH];
   const char  *p;
   char        *q;
+  int         count;
 
   skip_white(&ap->curptr, ap->endptr);
   if (ap->curptr >= ap->endptr) {
@@ -231,8 +233,13 @@
   default:
     p = ap->curptr;
     q = buffer;
-    while (p < ap->endptr)
+    count = 0;
+    while (p < ap->endptr && count < THEBUFFLENGTH - 1) {
       *q++ = *p++;
+      count++;
+    }
+    if (count == THEBUFFLENGTH - 1)
+      spc_warn(spe, "Too long a fontmap line.");
     *q = '\0';
     mrec = NEW(1, fontmap_rec);
     pdf_init_fontmap_record(mrec);

Modified: trunk/Build/source/texk/dvipdfm-x/specials.c
===================================================================
--- trunk/Build/source/texk/dvipdfm-x/specials.c	2019-03-29 21:18:52 UTC (rev 50644)
+++ trunk/Build/source/texk/dvipdfm-x/specials.c	2019-03-29 22:13:05 UTC (rev 50645)
@@ -1,6 +1,6 @@
 /* This is dvipdfmx, an eXtended version of dvipdfm by Mark A. Wicks.
 
-    Copyright (C) 2002-2018 by Jin-Hwan Cho and Shunsaku Hirata,
+    Copyright (C) 2002-2019 by Jin-Hwan Cho and Shunsaku Hirata,
     the dvipdfmx project team.
     
     Copyright (C) 1998, 1999 by Mark A. Wicks <mwicks at kettering.edu>
@@ -53,15 +53,16 @@
 
 #include "specials.h"
 
+#define THEBUFFLENGTH 1024
 void
 spc_warn (struct spc_env *spe, const char *fmt, ...)
 {
   va_list  ap;
-  static char buf[1024];
+  static char buf[THEBUFFLENGTH];
 
   va_start(ap, fmt);
 
-  vsprintf(buf, fmt, ap);
+  vsnprintf(buf, THEBUFFLENGTH, fmt, ap);
   WARN(buf);
 
   va_end(ap);