Possible SEGV (null pointer dereferene) in tounicode.c

Gregory James DUCK gjduck at gmail.com
Mon Aug 28 07:01:56 CEST 2023 

Hi,

Thanks for promptly addressing the writet1.c issue.  I have also found
another possible SEGV (null pointer deref) in
texk/web2c/pdftexdir/tounicode.c.  The relevant code snippet is:

        glyph_unicode_entry *gu = new_glyph_unicode_entry();
        undumpcharptr(gu->name);
        ...
        result = avl_probe(glyph_unicode_tree, gu);

Under some conditions it appears that the undumpcharptr() macro can "fail"
in which case gu->name will be set to NULL (see the definition for
undumpcharptr).  This causes a SEGV inside avl_probe() when the comparison
function (comp_glyph_unicode_entry) calls strcmp() on the names, one of
which is NULL.

I can only reproduce this with pdflatex and the attached (corrupt)
pdflatex.fmt file, but the code appears to be part of the pdftex core.

Stack trace:

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173
...
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp-sse4_2.S:173
#1  0x000055555563c0c3 in avl_probe (tree=0x5555558381c0,
item=0x555555a61210) at ../../../texk/web2c/pdftexdir/avl.c:102
#2  0x00005555555c4110 in undumptounicode () at
../../../texk/web2c/pdftexdir/tounicode.c:528
#3  loadfmtfile () at
/usr/src/texlive-bin-2022.20220321.62855-5ubuntu0.1/Work/texk/web2c/pdftexini.c:4288
#4  0x00005555555afaf5 in mainbody () at
/usr/src/texlive-bin-2022.20220321.62855-5ubuntu0.1/Work/texk/web2c/pdftexini.c:5478
#5  main (ac=<optimized out>, av=<optimized out>) at
../../../texk/web2c/lib/texmfmp.c:1175


Software version:

pdfTeX 3.141592653-2.6-1.40.24 (TeX Live 2022/Debian)
kpathsea version 6.3.4
Copyright 2022 Han The Thanh (pdfTeX) et al.


The latest dev code appears unchanged.  The problem can be reproduced (at
least for me) by putting the attached pdflatex.fmt into the current
directory then compiling something with pdflatex.

This is the last SEGV I found so far and the others appear to be duplicates.

-Greg.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20230828/afc6d4ce/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdflatex.fmt
Type: application/octet-stream
Size: 6447104 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20230828/afc6d4ce/attachment-0001.obj>

More information about the tex-live mailing list.