texlive[68865] Build/source/texk/web2c: check for more corruption in

commits+karl at tug.org commits+karl at tug.org
Wed Nov 15 22:23:49 CET 2023 

Revision: 68865
          https://tug.org/svn/texlive?view=revision&revision=68865
Author:   karl
Date:     2023-11-15 22:23:49 +0100 (Wed, 15 Nov 2023)
Log Message:
-----------
check for more corruption in fmt/base

Modified Paths:
--------------
    trunk/Build/source/texk/web2c/ChangeLog
    trunk/Build/source/texk/web2c/mf.ch
    trunk/Build/source/texk/web2c/tex.ch

Modified: trunk/Build/source/texk/web2c/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/ChangeLog	2023-11-15 21:09:20 UTC (rev 68864)
+++ trunk/Build/source/texk/web2c/ChangeLog	2023-11-15 21:23:49 UTC (rev 68865)
@@ -1,3 +1,11 @@
+2023-11-15  Karl Berry  <karl at freefriends.org>
+
+	* tex.ch,
+	* mf.ch (Undump the dynamic memory): check that p does not
+	become too small, due to fmt/base corruption.
+	Report from Gregory James DUCK to Karl, 14 Sep 2023.
+	Found with a fuzz tester similar to AFL-fuzz. 
+
 2023-10-25  Andreas Scherer  <https://ascherer.github.io>
 
 	* weave.ch: Fine print for command-line options.

Modified: trunk/Build/source/texk/web2c/mf.ch
===================================================================
--- trunk/Build/source/texk/web2c/mf.ch	2023-11-15 21:09:20 UTC (rev 68864)
+++ trunk/Build/source/texk/web2c/mf.ch	2023-11-15 21:23:49 UTC (rev 68865)
@@ -1853,6 +1853,15 @@
 mem:=xmalloc_array (memory_word, mem_max - mem_min + 1);
 @z
 
+ at x [48.1195] l.22714 - Check that p did not become corrupt.
+if (p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto off_base;
+ at y
+{If the base file is messed up, that addition to |p| might cause it to
+ become garbage. Report from Gregory James DUCK to Karl, 14 Sep 2023.
+ Found with a fuzz tester similar to AFL-fuzz. Also changed in \TeX.}
+if (p<mem_min)or(p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto off_base;
+ at z
+
 @x [48.1199] l.22750 - Allow command line to override dumped value.
 undump(batch_mode)(error_stop_mode)(interaction);
 @y

Modified: trunk/Build/source/texk/web2c/tex.ch
===================================================================
--- trunk/Build/source/texk/web2c/tex.ch	2023-11-15 21:09:20 UTC (rev 68864)
+++ trunk/Build/source/texk/web2c/tex.ch	2023-11-15 21:23:49 UTC (rev 68865)
@@ -3653,6 +3653,15 @@
 repeat undump_things(mem[p], q+2-p);
 @z
 
+ at x [50.1312] l.23955 - Check that p did not become corrupt.
+if (p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto bad_fmt;
+ at y
+{If the format file is messed up, that addition to |p| might cause it to
+ become garbage. Report from Gregory James DUCK to Karl, 14 Sep 2023.
+ Found with a fuzz tester similar to AFL-fuzz. Also changed in \MF.}
+if (p<mem_min)or(p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto bad_fmt;
+ at z
+
 @x [50.1312] l.23878 - Make dumping/undumping more efficient.
 for k:=p to lo_mem_max do undump_wd(mem[k]);
 @y

More information about the tex-live-commits mailing list.