texlive[68900] Build/source/texk/web2c: improve fmt/base corruption
commits+karl at tug.org
commits+karl at tug.org
Sun Nov 19 17:03:33 CET 2023
Revision: 68900
https://tug.org/svn/texlive?view=revision&revision=68900
Author: karl
Date: 2023-11-19 17:03:33 +0100 (Sun, 19 Nov 2023)
Log Message:
-----------
improve fmt/base corruption checks, from DRF
Modified Paths:
--------------
trunk/Build/source/texk/web2c/ChangeLog
trunk/Build/source/texk/web2c/mf.ch
trunk/Build/source/texk/web2c/tex.ch
Modified: trunk/Build/source/texk/web2c/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/ChangeLog 2023-11-19 13:44:24 UTC (rev 68899)
+++ trunk/Build/source/texk/web2c/ChangeLog 2023-11-19 16:03:33 UTC (rev 68900)
@@ -1,3 +1,9 @@
+2023-11-19 Karl Berry <karl at freefriends.org>
+
+ * tex.ch,
+ * mf.ch (Undump the dynamic memory): improve fmt/base corruption
+ tests, from DRF.
+
2023-11-19 Andreas Scherer <https://ascherer.github.io>
* ctangleboot.cin,
Modified: trunk/Build/source/texk/web2c/mf.ch
===================================================================
--- trunk/Build/source/texk/web2c/mf.ch 2023-11-19 13:44:24 UTC (rev 68899)
+++ trunk/Build/source/texk/web2c/mf.ch 2023-11-19 16:03:33 UTC (rev 68900)
@@ -1854,12 +1854,19 @@
@z
@x [48.1195] l.22714 - Check that p did not become corrupt.
+p:=q+node_size(q);
if (p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto off_base;
@y
{If the base file is messed up, that addition to |p| might cause it to
become garbage. Report from Gregory James DUCK to Karl, 14 Sep 2023.
- Found with a fuzz tester similar to AFL-fuzz. Also changed in \TeX.}
-if (p<mem_min)or(p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto off_base;
+ Also changed in \MF. Fix from DRF, who explains: we test before doing the
+ addition to avoid assuming silent wrap-around overflow, and also to to
+ catch cases where |node_size| was, say, bogusly the equivalent of $-1$
+ and thus |p+node_size| would still look valid.}
+if (node_size(q)>lo_mem_max-q) or (rlink(q)>lo_mem_max)
+ or ((q>=rlink(q))and(rlink(q)<>rover))
+then goto off_base;
+p:=q+node_size(q);
@z
@x [48.1199] l.22750 - Allow command line to override dumped value.
Modified: trunk/Build/source/texk/web2c/tex.ch
===================================================================
--- trunk/Build/source/texk/web2c/tex.ch 2023-11-19 13:44:24 UTC (rev 68899)
+++ trunk/Build/source/texk/web2c/tex.ch 2023-11-19 16:03:33 UTC (rev 68900)
@@ -3654,12 +3654,19 @@
@z
@x [50.1312] l.23955 - Check that p did not become corrupt.
+p:=q+node_size(q);
if (p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto bad_fmt;
@y
{If the format file is messed up, that addition to |p| might cause it to
become garbage. Report from Gregory James DUCK to Karl, 14 Sep 2023.
- Found with a fuzz tester similar to AFL-fuzz. Also changed in \MF.}
-if (p<mem_min)or(p>lo_mem_max)or((q>=rlink(q))and(rlink(q)<>rover)) then goto bad_fmt;
+ Also changed in \MF. Fix from DRF, who explains: we test before doing the
+ addition to avoid assuming silent wrap-around overflow, and also to to
+ catch cases where |node_size| was, say, bogusly the equivalent of $-1$
+ and thus |p+node_size| would still look valid.}
+if (node_size(q)>lo_mem_max-q) or (rlink(q)>lo_mem_max)
+ or ((q>=rlink(q))and(rlink(q)<>rover))
+then goto bad_fmt;
+p:=q+node_size(q);
@z
@x [50.1312] l.23878 - Make dumping/undumping more efficient.
More information about the tex-live-commits
mailing list.