[tex-live] TL2016: Stack smashed in upmendex fprint_uchar() function
Dr. Werner Fink
werner at suse.de
Tue Jun 14 18:35:50 CEST 2016
Hi,
during test I've seen a catched stack smash done by glibc fortify.
It seems that in texk/upmendex/fwrite.c the function fprint_uchar()
will be overflowed by the UChar inital array in indwrite()
UChar datama[256],initial[INITIALLENGTH],initial_prev[INITIALLENGTH];
[...]
fprint_uchar(fp,initial,lethead_flag,-1);
as the macro INITIALLENGTH had shown 18 members during debugging whereas
in the original fprint_uchar() only 5 members are handled
static void fprint_uchar(FILE *fp, const UChar *a, const int mode, const int len)
{
int k;
char str[15], *ret;
UChar istr[5];
int olen, wclen;
UErrorCode perr;
if (len<0) {
for (k=0; a[k] || k<4; k++) istr[k]=a[k];
wclen=k;
} else {
wclen = is_surrogate_pair(a) ? 2 : 1;
istr[0]=a[0];
if (wclen==2) istr[1]=a[1];
}
istr[wclen]=L'\0';
^^^^^^^^^^^^^^^^^^ Stack smash
maybe the macro INITIALLENGTH has other values for other builds as this
crash only happens on a view build environments here around ;)
Werner
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x
Type: text/x-patch
Size: 652 bytes
Desc: Patch
URL: <http://tug.org/pipermail/tex-live/attachments/20160614/f425acf0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://tug.org/pipermail/tex-live/attachments/20160614/f425acf0/attachment-0001.bin>
More information about the tex-live
mailing list