texlive[74580] Build/source/texk/web2c: [TANGLE] Prevent integer

commits+ascherer at tug.org commits+ascherer at tug.org
Tue Mar 11 23:48:46 CET 2025 

Revision: 74580
          https://tug.org/svn/texlive?view=revision&revision=74580
Author:   ascherer
Date:     2025-03-11 23:48:46 +0100 (Tue, 11 Mar 2025)
Log Message:
-----------
[TANGLE] Prevent integer overflow in scan_numeric().

In message <https://tug.org/pipermail/tex-k/2025-March/004165.html>
Benjamin Gray reported missing checks against integer overflow in
sections 160--162. He proposed to copy code from section 119.

Further analysis showed that the extended limits introduced in 2001
in section 119 for octal and hexadecimal constants easily lead to
integer overflow, because both '(010000000000-1)*8+07' and
'(0x40000000-1)*16+0xF' exceed 'INT_MAX' on systems with 32 bit 'int'.

This commit (a) restores the safe limits from TANGLE.WEB (replacing the
first octal value with its decimal representation) in section 119 and
(b) introduces similar checks in sections 160--162.

Note that the other changes made in 2001 for numeric identifiers (see
section 47, moving from 2^15 to 2^30) remain in place, at least until
further issues arise.

Modified Paths:
--------------
    trunk/Build/source/texk/web2c/ChangeLog
    trunk/Build/source/texk/web2c/tangle.ch
    trunk/Build/source/texk/web2c/tangleboot.pin

Modified: trunk/Build/source/texk/web2c/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/ChangeLog	2025-03-11 22:12:37 UTC (rev 74579)
+++ trunk/Build/source/texk/web2c/ChangeLog	2025-03-11 22:48:46 UTC (rev 74580)
@@ -1,14 +1,21 @@
+2025-03-11  Andreas Scherer  <https://ascherer.github.io>
+
+	* tangle.ch,
+	* tangleboot.pin: Prevent integer overflow in scan_numeric().
+	Report and initial patch from Benjamin Gray
+	(https://tug.org/pipermail/tex-k/2025-March/004165.html).
+
 2025-03-10  Andreas Scherer  <https://ascherer.github.io>
 
-	* texk/web2c/tangle.ch,
-	* texk/web2c/tangleboot.pin: Reject strings as macro names.
+	* tangle.ch,
+	* tangleboot.pin: Reject strings as macro names.
 	Report and initial patch from Benjamin Gray
 	(https://tug.org/pipermail/tex-k/2025-March/004163.html).
 
 2025-03-10  Andreas Scherer  <https://ascherer.github.io>
 
-	* texk/web2c/tangle.ch,
-	* texk/web2c/tangleboot.pin: Change case for letters only.
+	* tangle.ch,
+	* tangleboot.pin: Change case for letters only.
 	Report and initial patch from Benjamin Gray
 	(https://tug.org/pipermail/tex-k/2025-March/004161.html).
 

Modified: trunk/Build/source/texk/web2c/tangle.ch
===================================================================
--- trunk/Build/source/texk/web2c/tangle.ch	2025-03-11 22:12:37 UTC (rev 74579)
+++ trunk/Build/source/texk/web2c/tangle.ch	2025-03-11 22:48:46 UTC (rev 74580)
@@ -497,16 +497,11 @@
   end;
 @z
 
- at x [11.119] l.2199 - Stretch limits of constants to match what we set for expressions.
-  if n>=@'2000000000 then err_print('! Constant too big')
+ at x [11.119] l.2185 - Calculate with decimal limit value INT_MAX/10.
+  if n>=@'1463146314 then err_print('! Constant too big')
 @y
-  if n>=@'10000000000 then err_print('! Constant too big')
+  if n>=214748364 then err_print('! Constant too big')
 @z
- at x [11.119] l.2208
-  if n>=@"8000000 then err_print('! Constant too big')
- at y
-  if n>=@"40000000 then err_print('! Constant too big')
- at z
 
 @x [14.157] l.2862 - Larger numerics.
 if abs(accumulator)>=@'100000 then
@@ -526,6 +521,31 @@
     add_in(equiv[q]-@'10000000000);
 @z
 
+ at x [14.160] l.2915 - Avoid numeric overflow; see also section 119.
+repeat val:=10*val+next_control-"0"; next_control:=get_next;
+ at y
+repeat if val>=214748364 then err_print('! Constant too big')
+ at .Constant too big@>
+  else val:=10*val+next_control-"0";
+  next_control:=get_next;
+ at z
+ at x [14.161] l.2920 - Avoid numeric overflow; see also section 119.
+repeat val:=8*val+next_control-"0"; next_control:=get_next;
+ at y
+repeat if val>=@'2000000000 then err_print('! Constant too big')
+ at .Constant too big@>
+  else val:=8*val+next_control-"0";
+  next_control:=get_next;
+ at z
+ at x [14.162] l.2926 - Avoid numeric overflow; see also section 119.
+val:=16*val+next_control-"0"; next_control:=get_next;
+ at y
+  if val>=@"8000000 then err_print('! Constant too big')
+ at .Constant too big@>
+  else val:=16*val+next_control-"0";
+  next_control:=get_next;
+ at z
+
 @x [15.165] l.2964 - Add parametric2 macros (macros that use [] to delimit arguments).
   "(": incr(bal);
   ")": if bal=0 then err_print('! Extra )')

Modified: trunk/Build/source/texk/web2c/tangleboot.pin
===================================================================
--- trunk/Build/source/texk/web2c/tangleboot.pin	2025-03-11 22:12:37 UTC (rev 74579)
+++ trunk/Build/source/texk/web2c/tangleboot.pin	2025-03-11 22:48:46 UTC (rev 74580)
@@ -479,12 +479,12 @@
 curchar:=getoutput;until(curchar>57)or(curchar<48);sendval(n);k:=0;
 if curchar=101 then curchar:=69;if curchar=69 then goto 2 else goto 21;
 end;125:sendval(poolchecksum);12:begin n:=0;curchar:=48;
-repeat curchar:=curchar-48;if n>=1073741824 then begin writeln(stdout);
+repeat curchar:=curchar-48;if n>=268435456 then begin writeln(stdout);
 write(stdout,'! Constant too big');error;end else n:=8*n+curchar;
 curchar:=getoutput;until(curchar>55)or(curchar<48);sendval(n);goto 21;
 end;13:begin n:=0;curchar:=48;
 repeat if curchar>=65 then curchar:=curchar-55 else curchar:=curchar-48;
-if n>=1073741824 then begin writeln(stdout);
+if n>=134217728 then begin writeln(stdout);
 write(stdout,'! Constant too big');error;end else n:=16*n+curchar;
 curchar:=getoutput;
 until(curchar>70)or(curchar<48)or((curchar>57)and(curchar<65));
@@ -699,16 +699,22 @@
 begin{158:}accumulator:=0;nextsign:=+1;
 while true do begin nextcontrol:=getnext;
 21:case nextcontrol of 48,49,50,51,52,53,54,55,56,57:begin{160:}val:=0;
-repeat val:=10*val+nextcontrol-48;nextcontrol:=getnext;
+repeat if val>=214748364 then begin writeln(stdout);
+write(stdout,'! Constant too big');error;
+end else val:=10*val+nextcontrol-48;nextcontrol:=getnext;
 until(nextcontrol>57)or(nextcontrol<48){:160};
 begin accumulator:=accumulator+nextsign*(val);nextsign:=+1;end;goto 21;
 end;12:begin{161:}val:=0;nextcontrol:=48;
-repeat val:=8*val+nextcontrol-48;nextcontrol:=getnext;
+repeat if val>=268435456 then begin writeln(stdout);
+write(stdout,'! Constant too big');error;
+end else val:=8*val+nextcontrol-48;nextcontrol:=getnext;
 until(nextcontrol>55)or(nextcontrol<48){:161};
 begin accumulator:=accumulator+nextsign*(val);nextsign:=+1;end;goto 21;
 end;13:begin{162:}val:=0;nextcontrol:=48;
 repeat if nextcontrol>=65 then nextcontrol:=nextcontrol-7;
-val:=16*val+nextcontrol-48;nextcontrol:=getnext;
+if val>=134217728 then begin writeln(stdout);
+write(stdout,'! Constant too big');error;
+end else val:=16*val+nextcontrol-48;nextcontrol:=getnext;
 until(nextcontrol>70)or(nextcontrol<48)or((nextcontrol>57)and(
 nextcontrol<65)){:162};begin accumulator:=accumulator+nextsign*(val);
 nextsign:=+1;end;goto 21;end;130:begin q:=idlookup(0);

More information about the tex-live-commits mailing list.