Buffer overflow in Weave
bengray178 at gmail.com
Sun Jul 16 12:49:25 CEST 2023
The Weave program has a buffer overflow if break_out() doesn't make any
progress. This happens when a line starts with a percent, backslash, and
non-space, and has no possible break locations anywhere else. The break
logic picks before the backslash as the break location, but breaking there
makes no progress because the following line needs a percent inserted anyway
to continue the comment. Overall, the out buffer's length is unchanged. If
the buffer was full, it is still full afterwards.
However the oot() macro assumes progress, so unconditionally appends a
character to the out buffer after calling break_out(). This overflows the
buffer, clobbering whatever follows in memory (up to 1000 characters;
whatever input line length is set).
These two lines are a simple reproducer
The generated TeX contains an 85 character line. Experimenting with longer
inputs and varying the content can cause other effects.
More information about the tex-live