texlive[67656] Build/source/texk/web2c: [C/WEB] Deal with malign user

Mon Jul 17 17:15:21 CEST 2023

Revision: 67656
          http://tug.org/svn/texlive?view=revision&revision=67656
Author:   ascherer
Date:     2023-07-17 17:15:21 +0200 (Mon, 17 Jul 2023)
Log Message:
-----------
[C/WEB] Deal with malign user input.

'break_out' and 'flush_buffer' were tricked into putting an extremely
long TeX macro (longer than 'line_length', i.e., 80 chars) into
'out_buf', which overflowed. This, of course, would wreak havoc, both in
the TeX output and in the runtime system.

See https://tug.org/pipermail/tex-live/2023-July/049306.htm for the
initial bug report.

Modified Paths:
--------------
    trunk/Build/source/texk/web2c/ChangeLog
    trunk/Build/source/texk/web2c/cwebdir/ChangeLog
    trunk/Build/source/texk/web2c/cwebdir/cweave.w
    trunk/Build/source/texk/web2c/weave.ch

Modified: trunk/Build/source/texk/web2c/ChangeLog
===================================================================

--- trunk/Build/source/texk/web2c/ChangeLog	2023-07-16 23:43:16 UTC (rev 67655)
+++ trunk/Build/source/texk/web2c/ChangeLog	2023-07-17 15:15:21 UTC (rev 67656)
@@ -1,3 +1,7 @@
+2023-07-17  Andreas Scherer  <https://ascherer.github.io>
+
+	* weave.ch: Deal with malign user input.
+
 2023-07-09  Andreas Scherer  <https://ascherer.github.io>
 
 	* cwebboot.cin: Regenerate boot source.

Modified: trunk/Build/source/texk/web2c/cwebdir/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/cwebdir/ChangeLog	2023-07-16 23:43:16 UTC (rev 67655)
+++ trunk/Build/source/texk/web2c/cwebdir/ChangeLog	2023-07-17 15:15:21 UTC (rev 67656)
@@ -1,3 +1,7 @@
+2023-07-17  Andreas Scherer  <https://ascherer.github.io>
+
+	* cweave.w: Deal with malign user input.
+
 2023-07-16  Andreas Scherer  <https://ascherer.github.io>
 
 	* ctwill-mini.ch,

Modified: trunk/Build/source/texk/web2c/cwebdir/cweave.w
===================================================================
--- trunk/Build/source/texk/web2c/cwebdir/cweave.w	2023-07-16 23:43:16 UTC (rev 67655)
+++ trunk/Build/source/texk/web2c/cwebdir/cweave.w	2023-07-17 15:15:21 UTC (rev 67656)
@@ -1443,8 +1443,8 @@
 out_buf[0]='\\';
 
 @ A long line is broken at a blank space or just before a backslash that isn't
-preceded by another backslash. In the latter case, a |'%'| is output at
-the break.
+preceded by another backslash or a \TeX\ comment marker. In the latter case, a
+|'%'| is output at the break.
 
 @c
 static void
@@ -1456,7 +1456,7 @@
     if (*k==' ') {
       flush_buffer(k,false,true); return;
     }
-    if (*(k--)=='\\' && *k!='\\') { /* we've decreased |k| */
+    if (*(k--)=='\\' && *k!='\\' && *k!='%') { /* we've decreased |k| */
       flush_buffer(k,true,true); return;
     }
   }

Modified: trunk/Build/source/texk/web2c/weave.ch
===================================================================
--- trunk/Build/source/texk/web2c/weave.ch	2023-07-16 23:43:16 UTC (rev 67655)
+++ trunk/Build/source/texk/web2c/weave.ch	2023-07-17 15:15:21 UTC (rev 67656)
@@ -325,6 +325,21 @@
 if (reserved(p)or(byte_start[p]+1=byte_start[p+ww]))and
 @z
 
+ at x [127] see https://tug.org/pipermail/tex-live/2023-July/049306.htm
+preceded by another backslash. In the latter case, a |"%"| is output at
+the break.
+ at y
+preceded by another backslash or a \TeX\ comment marker. In the latter case, a
+|'%'| is output at the break.
+ at z
+
+ at x [127] deal with malign user input
+  if (d="\")and(out_buf[k-1]<>"\") then {in this case |k>1|}
+ at y
+  if (d="\")and(out_buf[k-1]<>"\")and(out_buf[k-1]<>"%") then
+    {in this case |k>1|}
+ at z
+
 @x [148] Purify 'reduce' and 'squash'.
 @d production(#)==@!debug prod(#) gubed; goto found
 @d reduce(#)==red(#); production

