texlive[50649] Build/source/texk/dvipsk: further buffer size
commits+karl at tug.org
commits+karl at tug.org
Sat Mar 30 02:30:26 CET 2019
Revision: 50649
http://tug.org/svn/texlive?view=revision&revision=50649
Author: karl
Date: 2019-03-30 02:30:26 +0100 (Sat, 30 Mar 2019)
Log Message:
-----------
further buffer size corrections
Modified Paths:
--------------
trunk/Build/source/texk/dvipsk/ChangeLog
trunk/Build/source/texk/dvipsk/dospecial.c
trunk/Build/source/texk/dvipsk/test-overflow-buffers.test
trunk/Build/source/texk/dvipsk/testdata/overflow-epsfile.dvi
trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.dvi
trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.tex
Added Paths:
-----------
trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi
trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.tex
trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi
trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.tex
Modified: trunk/Build/source/texk/dvipsk/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipsk/ChangeLog 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/ChangeLog 2019-03-30 01:30:26 UTC (rev 50649)
@@ -1,8 +1,12 @@
2019-03-29 Karl Berry <karl at freefriends.org>
+ * dospecial.c (dospecial) <bare psfile>: reverse sense of maccess
+ test, as intended; check for buffer overflow.
+ (maccess): add doc.
+
* color.c (colorcmdout),
- * dospecial.c (dospecial) <epsfile>, <postscriptbox>: check for
- buffer overflows.
+ * dospecial.c (dospecial) <epsfile>, <postscriptbox>, <psfile>:
+ check for buffer overflows.
* test-overflow-buffers.test,
* testdata/color.pro,
* testdata/overflow-color-push.dvi,
Modified: trunk/Build/source/texk/dvipsk/dospecial.c
===================================================================
--- trunk/Build/source/texk/dvipsk/dospecial.c 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/dospecial.c 2019-03-30 01:30:26 UTC (rev 50649)
@@ -574,13 +574,15 @@
scanfontcomments(ValStr);
}
+/* Return 1 if S is readable along figpath, 0 if not. */
static int
maccess(char *s)
{
FILE *f = search(figpath, s, "r");
- if (f)
+ int found = (f != 0);
+ if (found)
(*close_file) (f);
- return (f != 0);
+ return found;
}
const char *tasks[] = { 0, "iff2ps", "tek2ps" };
@@ -651,16 +653,22 @@
unsigned psfilelen = 0;
p += 8;
- while (!isspace((unsigned char)*p)) {
+ while (*p && !isspace((unsigned char)*p)) {
if (psfilelen < PSFILESIZ) {
psfile[psfilelen] = *p;
psfilelen++;
+ p++;
} else {
- sprintf(errbuf, "! epsfile= argument longer than %d characters",
- PSFILESIZ);
+ psfile[psfilelen] = 0; /* should not strictly be necessary */
+ sprintf(errbuf,
+ "! epsfile=%.20s... argument longer than %d characters",
+ psfile, PSFILESIZ);
error(errbuf);
}
}
+ if (psfilelen == 0) {
+ error ("! epsfile= argument empty");
+ }
psfile[psfilelen] = 0;
p += strlen(psfile);
fgetboundingbox(psfile, &llx, &lly, &urx, &ury);
@@ -936,11 +944,16 @@
while( (p=GetKeyVal(p,&j)) != NULL )
switch (j) {
- case -1: /* for compatability with old conventions, we allow a file name
+ case -1: /* for compatibility with old conventions, we allow a file name
* to be given without the 'psfile=' keyword */
- if (!psfile[0] && maccess(KeyStr)==0) /* yes we can read it */
+ if (!psfile[0] && maccess(KeyStr)==1) { /* yes we can read it */
+ if (strlen(KeyStr) >= PSFILESIZ) {
+ sprintf(errbuf,
+ "! Bare filename (%.20s...) in \\special longer than %d characters",
+ KeyStr, PSFILESIZ);
+ }
strcpy(psfile,KeyStr);
- else {
+ } else {
if (strlen(KeyStr) < 40) {
sprintf(errbuf,
"Unknown keyword (%s) in \\special will be ignored",
@@ -947,7 +960,7 @@
KeyStr);
} else {
sprintf(errbuf,
- "Unknown keyword (%.40s...) in \\special will be ignored",
+ "Unknown keyword (%.40s...) in \\special will be ignored",
KeyStr);
}
specerror(errbuf);
@@ -955,11 +968,18 @@
break;
case 0: case 1: case 2: /* psfile */
if (psfile[0]) {
- sprintf(errbuf, "More than one \\special %s given; %s ignored",
- "psfile", ValStr);
+ sprintf(errbuf, "More than one \\special %s given; %.40s ignored",
+ "psfile", ValStr);
specerror(errbuf);
+ } else {
+ if (strlen(ValStr) >= PSFILESIZ) {
+ sprintf(errbuf,
+ "! PS filename (%.20s...) in \\special longer than %d characters",
+ ValStr, PSFILESIZ);
+ error(errbuf);
+ }
+ strcpy(psfile, ValStr);
}
- else strcpy(psfile,ValStr);
task = tasks[j];
break;
default: /* most keywords are output as PostScript procedure calls */
Modified: trunk/Build/source/texk/dvipsk/test-overflow-buffers.test
===================================================================
--- trunk/Build/source/texk/dvipsk/test-overflow-buffers.test 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/test-overflow-buffers.test 2019-03-30 01:30:26 UTC (rev 50649)
@@ -3,7 +3,8 @@
# Public domain. Various buffer overflows, reported by
# Andy Nguyen of ETH Zurich. The program should detect and abort.
-for tst in overflow-color-push overflow-epsfile overflow-psbox; do
+for tst in overflow-color-push overflow-epsfile \
+ overflow-ifffile overflow-psbox; do
:
if ./dvips $srcdir/testdata/$tst.dvi -o; then
echo "$0: test $tst should have failed." >&2
@@ -11,4 +12,10 @@
fi
done
+# overflow-keyword succeeds, because the special is ignored,
+# because the file (named with 999 a's) does not exist.
+tst=overflow-keyword
+./dvips $srcdir/testdata/$tst.dvi -o || exit 1
+grep ' @setspecial' $tst.ps || exit 1
+
exit 0
Modified: trunk/Build/source/texk/dvipsk/testdata/overflow-epsfile.dvi
===================================================================
(Binary files differ)
Added: trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi
===================================================================
(Binary files differ)
Index: trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi
===================================================================
--- trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi 2019-03-30 01:30:26 UTC (rev 50649)
Property changes on: trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.dvi
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+application/x-dvi
\ No newline at end of property
Added: trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.tex
===================================================================
--- trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.tex (rev 0)
+++ trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.tex 2019-03-30 01:30:26 UTC (rev 50649)
@@ -0,0 +1,12 @@
+\documentclass{article}
+
+\begin{document}
+\thispagestyle{empty}
+
+\begin{figure}[p]
+
+\special{ifffile=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
+
+\end{figure}
+
+\end{document}
Property changes on: trunk/Build/source/texk/dvipsk/testdata/overflow-ifffile.tex
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi
===================================================================
(Binary files differ)
Index: trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi
===================================================================
--- trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi 2019-03-30 01:30:26 UTC (rev 50649)
Property changes on: trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.dvi
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+application/x-dvi
\ No newline at end of property
Added: trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.tex
===================================================================
--- trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.tex (rev 0)
+++ trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.tex 2019-03-30 01:30:26 UTC (rev 50649)
@@ -0,0 +1,12 @@
+\documentclass{article}
+
+\begin{document}
+\thispagestyle{empty}
+
+\begin{figure}[p]
+
+\special{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}
+
+\end{figure}
+
+\end{document}
Property changes on: trunk/Build/source/texk/dvipsk/testdata/overflow-keyword.tex
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Modified: trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.dvi
===================================================================
(Binary files differ)
Modified: trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.tex
===================================================================
--- trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.tex 2019-03-30 01:23:39 UTC (rev 50648)
+++ trunk/Build/source/texk/dvipsk/testdata/overflow-psbox.tex 2019-03-30 01:30:26 UTC (rev 50649)
@@ -1,5 +1,5 @@
% Andy Nguyen of ETH Zurich. Public domain.
-% tlsecurity mail of 28 Mar 2019 18:20:48.
+% tlsecurity mail of 29 Mar 2019 22:41:20.
% File "dvipsk/dospecial.c", subroutine "dospecial": "psfile" is parsed using
% "sscanf(p+13, "{%fpt}{%fpt}{%[^}]}", &w, &h, psfile)", which has no length
% limitation.
@@ -11,7 +11,7 @@
\begin{figure}[p]
-\special{postscriptbox{}{}{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}}
+\special{postscriptbox{42pt}{1337pt}{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}}
\end{figure}
More information about the tex-live-commits
mailing list