Re: [Dev-luatex] [PATCH] printing.w: prevent OOB read from zero-length buffer

On Thu, Apr 21, 2016 at 10:20 PM, Philipp Gesang wrote:

When passed the empty string, tprint() will allocate a zero-length buffer and then branch on its first element (``if (*buffer) { … }``) which has never been initialized.

Prevent the invalid access by checking for the empty string and skipping the printing routine entirely if appropriate.

Signed-off-by: Philipp Gesang --- source/texk/web2c/luatexdir/tex/printing.w | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/texk/web2c/luatexdir/tex/printing.w b/source/texk/web2c/luatexdir/tex/printing.w index 478d55f..675fa45 100644 --- a/source/texk/web2c/luatexdir/tex/printing.w +++ b/source/texk/web2c/luatexdir/tex/printing.w @@ -367,6 +367,10 @@ void tprint(const char *sss) int newlinechar = int_par(new_line_char_code); int dolog = 0; int doterm = 0; + const size_t sss_len = strlen(sss); + if (sss_len == 0u) { /* nothing to print */ + return; + } switch (selector) { case no_print: return; @@ -413,7 +417,7 @@ void tprint(const char *sss) } /* what is left is the 3 term/log settings */ if (dolog || doterm) { - buffer = xmalloc(strlen(sss)*3); + buffer = xmalloc(sss_len*3); if (dolog) { const unsigned char *ss = (const unsigned char *) sss; while (*ss) { -- 2.8.0

do you have an example that trigger the wrong sss string ? -- luigi