Possible SEGV (null pointer deref) in writet1.c

Gregory James DUCK gjduck at gmail.com
Fri Aug 25 08:54:10 CEST 2023 

Hi,

There seems to be a possible SEGV (null pointer dereference) in
texk/web2c/pdftexdir/writet1.c.  The relevant code snippet is:

    /*
       check for `dup <index> <glyph> put'
     */
    if (sscanf(p, "dup %i%255s put", &i, t1_buf_array) == 2 &&
        *t1_buf_array == '/' && valid_code(i)) {
        if (strcmp(t1_buf_array + 1, notdef) != 0)
            glyph_names[i] = xstrdup(t1_buf_array + 1);
        p = strstr(p, " put") + strlen(" put");
        skip(p, ' ');
    }

The code seems to assume that if sscanf() returns 2 then the format string
was fully matched including the "put" substring.  The problem is that
sscanf() will also return 2 even if the "put" substring is missing provided
both the i and t1_buf_array are matched and assigned (see scanf manpage).
This causes strstr() to return NULL, leading to a null pointer dereference
in the next line.

Sample stack trace:

Program received signal SIGSEGV, Segmentation fault.
t1_builtin_enc () at ../../../texk/web2c/pdftexdir/writet1.c:845
...
#0  t1_builtin_enc () at ../../../texk/web2c/pdftexdir/writet1.c:845
#1  t1_subset_ascii_part () at ../../../texk/web2c/pdftexdir/writet1.c:1320
#2  0x000055555562dc5a in writet1 (fd=0x555555838960) at
../../../texk/web2c/pdftexdir/writet1.c:1697
#3  write_fontfile (fd=0x555555838960) at
../../../texk/web2c/pdftexdir/writefont.c:406
#4  0x000055555563126e in write_fontdescriptor (fd=0x555555838960) at
../../../texk/web2c/pdftexdir/writefont.c:462
#5  0x000055555563177d in write_fontdescriptors () at
../../../texk/web2c/pdftexdir/writefont.c:534
#6  0x000055555562a627 in writefontstuff () at
../../../texk/web2c/pdftexdir/writefont.c:613
#7  closefilesandterminate () at
/usr/src/texlive-bin-2022.20220321.62855-5ubuntu0.1/Work/texk/web2c/pdftex0.c:40300
#8  0x00005555555af7e5 in mainbody () at
/usr/src/texlive-bin-2022.20220321.62855-5ubuntu0.1/Work/texk/web2c/pdftexini.c:5660
#9  main (ac=<optimized out>, av=<optimized out>) at
../../../texk/web2c/lib/texmfmp.c:1175

Attached is a (corrupted) PoC cmr10.pfb file that can be used to reproduce
the problem.  Replacing the system version and using pdflatex or pdftex
works for me.

-Greg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20230825/5d07f139/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cmr10.pfb
Type: application/x-font-type1
Size: 35753 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20230825/5d07f139/attachment-0001.bin>

More information about the tex-live mailing list.