[tex-live] Possible array overrun in texk/dvipsk/dospecial.c
Dr. Werner Fink
werner at suse.de
Thu Oct 20 09:44:39 CEST 2011
Hi,
the compiler found an overrun at line 166 withib function mfgets in
texk/dvipsk/dospecial.c:
static char *
mfgets(char *buf, unsigned int bytes, FILE *fp)
{
int i, cc;
for (i = 0; i < bytes; i++) {
cc = fgetc(fp);
if (cc == 0x0a || cc == 0x0d) {
if (cc == 0x0d) {
cc = fgetc(fp);
if (cc != 0x0a) {
ungetc(cc, fp);
}
}
cc = 0x0a;
buf[i] = cc;
buf[i+1] = '\0';
return buf;
} else if (cc == EOF) {
buf[i] = '\0';
if (i == 0) return NULL;
else return buf;
} else {
buf[i] = cc;
}
}
>> buf[i] = '\0'; << line 166
return buf;
}
the attached patch does fix this by increasing the array
by one to avoid writing beyond the upper array boundary
Werner
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: source-overflow.dif
Type: text/x-patch
Size: 359 bytes
Desc: not available
URL: <http://tug.org/pipermail/tex-live/attachments/20111020/b04ac08a/attachment.bin>
More information about the tex-live
mailing list