[tlbuild] Possible overflow in line 274 in texk/upmendex/convert.c

Dr. Werner Fink werner at suse.de
Wed Apr 22 08:24:07 CEST 2020


the errbuff2 of size BUFFERLEN writes into errbuff also of size BUFFERLEN
but the size of the format string surrounding the %s is missed. Found
by fortify on ppc64/ppc64le.

  "Having a smoking section in a restaurant is like having
          a peeing section in a swimming pool." -- Edward Burr
-------------- next part --------------
--- texk/upmendex/convert.c
+++ texk/upmendex/convert.c	2020-04-22 06:10:54.285427585 +0000
@@ -187,7 +187,7 @@ static int dcomp(const void *bf1, const
 int convert(UChar *buff1, UChar *buff2)
 	int i=0,j=0,k;
-	char errbuff[BUFFERLEN],errbuff2[BUFFERLEN];
+	char errbuff[BUFFERLEN+42],errbuff2[BUFFERLEN];
 	int wclen;
 	UChar buff3[3];
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 894 bytes
Desc: not available
URL: <https://tug.org/pipermail/tlbuild/attachments/20200422/0c674db6/attachment.sig>

More information about the tlbuild mailing list.