[tex-live] 1 byte Buffer Overflow in writet1.c / t1_builtin_enc()
Hanno Böck
hanno at hboeck.de
Fri Jan 22 10:43:20 CET 2016
Hi,
By testing pdflatex with address sanitizer I discovered a buffer
overflow in the code in writet1.c in the function t1_builtin_enc().
It is in this line:
if (sscanf(p, "dup %i%256s put", &i, t1_buf_array) == 2 &&
The problem is that t1_buf_array is exactly 256 bytes, that means it
can only hold a string of 255 bytes because of the zero-terminator byte
of the string.
I didn't easily find out where t1_buf_array gets allocated, but I think
changing this from %256s to %255s should fix the issue.
I find the structure of the tex-projects a bit confusing, so I'm not
entirely sure if this is the right place to report this. This file
appears twice in the texlive source I have here:
./texk/web2c/pdftexdir/writet1.c
./texk/dvipsk/writet1.c
and almost identical code appears here:
./texk/web2c/luatexdir/font/writet1.w
The code that gets triggered when running pdflatex (on a random,
trivial tex input file) is the one in pdftexdir. But I assume this
should be fixed in all instances where this code appears.
Attached is a patch.
This is the error message from Address Sanitizer:
==19735==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000007300 at pc 0x7f192f4f4772 bp 0x7ffe3011c0f0 sp 0x7ffe3011c098
WRITE of size 257 at 0x611000007300 thread T0
#0 0x7f192f4f4771 (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24771)
#1 0x7f192f4f4d95 in __interceptor___isoc99_vsscanf (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24d95)
#2 0x7f192f4f4eaa in __interceptor___isoc99_sscanf (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24eaa)
#3 0x59f532 in t1_builtin_enc /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:840
#4 0x59f532 in t1_subset_ascii_part /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:1320
#5 0x5a0680 in writet1 /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:1693
#6 0x583197 in write_fontfile /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:406
#7 0x583197 in write_fontdescriptor /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:462
#8 0x5839a7 in write_fontdescriptors /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:518
#9 0x585988 in writefontstuff /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:595
#10 0x465e36 in closefilesandterminate /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-core-2014_build/texk/web2c/pdftex0.c:39647
#11 0x443296 in mainbody /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-core-2014_build/texk/web2c/pdftexini.c:5655
#12 0x40530d in main /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/lib/texmfmp.c:906
#13 0x7f192da037af in __libc_start_main (/lib64/libc.so.6+0x207af)
#14 0x405758 in _start (/usr/bin/pdftex-texlive-core-2014+0x405758)
0x611000007300 is located 0 bytes to the right of 256-byte region [0x611000007200,0x611000007300)
allocated by thread T0 here:
#0 0x7f192f5279e6 in __interceptor_realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x579e6)
#1 0x7f192e5d0dd9 in xrealloc (/usr/lib64/libkpathsea.so.6+0x28dd9)
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: texlive-fix-sscanf.diff
Type: text/x-patch
Size: 631 bytes
Desc: not available
URL: <http://tug.org/pipermail/tex-live/attachments/20160122/eb4ea1b4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://tug.org/pipermail/tex-live/attachments/20160122/eb4ea1b4/attachment-0001.bin>
More information about the tex-live
mailing list