On 3/28/2019 3:57 PM, Marcel Krüger wrote:
Hi,
there are multiple issues memory issues in tprint:
If the buffer passed to tprint only contains of to be escaped characters, the `xmalloc(strlen(sss)*3)` is too small: The final `\0` can not be written, so this causes a write into unallocated memory. If t_flush_buffer is called for such a buffer at the last position, there is an additional `\n` written, so `xmalloc(strlen(sss)*3+2)` is needed.
Additionally, the test `if (*buffer)` is used to test if there is something to print left. If the parameter is empty, `*buffer` is never written, so valgrind complains about `if (*buffer)` depending on uninitialized memory. Instead, `if (i)` can be used: `i` is the length of the written part of the buffer, so `i==0` iff there is nothing to write.
A related problem is with `max_print_line`: If the point where the line should be broken falls inside the escape sequence of an escaped character, the line limit is ignored. This can be fixed by adding
if (term_offset+2>=max_print_line) { wterm_cr(); term_offset=0; }
as in `wterm_char` also in tprint above `buffer[i++] = '^';`.
A full patch fixing all three issues is attached. Can you give a plain tex example where the fault happens? Normally the max line length kicks in (3 chars) before such an overflow.
(btw, nothing fundamental will change in the texlive code freeze frame) Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -----------------------------------------------------------------