[tlbuild] Buffer overrun in dvi2tty (and lacheck)

Ken Brown kbrow1i at gmail.com
Wed Jun 20 22:22:28 CEST 2012


On 6/20/2012 4:50 AM, Peter Breitenlohner wrote:
> Moreover, I would suggest
> to check all other occurences of malloc().

Hi Peter,

I assume you meant all other occurrences of strcpy and strcat.  I agree 
that this needs to be done  For now, I'll just mention one other buffer 
overrun that I stumbled across because another test failed when the file 
name was too long:

lacheck uses a buffer of size 100 for returnval.  Eventually 
f_checkend(file_name) is called, which calls print_bad_match, which 
calls eg_command, which calls, in effect, strcat(returnval, file_name), 
which is bad if file_name is long.

I guess the solution is similar to the one you proposed for dvi2tty, in 
which a big enough buffer is malloc'd for returnval, once file_name is 
known.

I hope there aren't too many more of these overruns.

Ken


More information about the tlbuild mailing list