texlive[50670] avoid writing beyond end of isblack

commits+karl at tug.org commits+karl at tug.org
Sat Mar 30 23:42:24 CET 2019 

Revision: 50670
          http://tug.org/svn/texlive?view=revision&revision=50670
Author:   karl
Date:     2019-03-30 23:42:24 +0100 (Sat, 30 Mar 2019)
Log Message:
-----------
avoid writing beyond end of isblack

Modified Paths:
--------------
    trunk/Build/source/texk/dvipsk/ChangeLog
    trunk/Build/source/texk/dvipsk/emspecial.c

Property Changed:
----------------
    trunk/Build/source/texk/dvipsk/emspecial.c

Modified: trunk/Build/source/texk/dvipsk/ChangeLog
===================================================================
--- trunk/Build/source/texk/dvipsk/ChangeLog	2019-03-30 22:28:38 UTC (rev 50669)
+++ trunk/Build/source/texk/dvipsk/ChangeLog	2019-03-30 22:42:24 UTC (rev 50670)
@@ -1,3 +1,9 @@
+2019-03-30  Karl Berry  <karl at freefriends.org>
+
+	* emspecial.c (bmpgraph): avoid writing after isblack
+	if clrtablesize is >256.
+	Report from Andy Nguyen of ETH Zurich.
+
 2019-03-29  Karl Berry  <karl at freefriends.org>
 
 	* loadfont.c (errbuf),

Modified: trunk/Build/source/texk/dvipsk/emspecial.c
===================================================================
--- trunk/Build/source/texk/dvipsk/emspecial.c	2019-03-30 22:28:38 UTC (rev 50669)
+++ trunk/Build/source/texk/dvipsk/emspecial.c	2019-03-30 22:42:24 UTC (rev 50670)
@@ -1,4 +1,4 @@
-/*
+/* $Id$
  *   emspecial.c
  *   This routine handles the emTeX special commands.
  */
@@ -1142,7 +1142,8 @@
 	struct bitmapfileheader bmfh;
 	struct bitmapinfoheader bmih;
 
-	unsigned char isblack[256];
+	#define ISBLACKSIZ 256
+	unsigned char isblack[ISBLACKSIZ];
 	unsigned char rr;
 	unsigned char gg;
 	unsigned char bb;
@@ -1251,6 +1252,17 @@
         else
 		clrtablesize = bmih.clrused;
 
+	if (clrtablesize > ISBLACKSIZ) {
+		/* This is wrong, since we won't read the whole file below.
+		   But we can't give correct output without more work,
+		   and it's unlikely these specials are still in use.  */
+		sprintf(errbuf,
+		   "em color table size (%d) larger than %d; output incorrect",
+		        clrtablesize, ISBLACKSIZ);
+   		specerror(errbuf);
+		clrtablesize = ISBLACKSIZ;
+	}
+	
 	/* read in the color table */
 	for (i = 0; i < clrtablesize; i++) {
 		bb = fgetc(f);


Property changes on: trunk/Build/source/texk/dvipsk/emspecial.c
___________________________________________________________________
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property

More information about the tex-live-commits mailing list