[Dev-luatex] [PATCH] printing.w: prevent OOB read from zero-length buffer

luigi scarso luigi.scarso at gmail.com
Fri Apr 22 10:56:38 CEST 2016 

On Fri, Apr 22, 2016 at 9:01 AM, luigi scarso <luigi.scarso at gmail.com>
wrote:

>
>
> On Fri, Apr 22, 2016 at 8:14 AM, Philipp Gesang <phg at phi-gamma.net> wrote:
>
>> ···<date: 2016-04-22, Friday>···<from: luigi scarso>···
>>
>> > On Thu, Apr 21, 2016 at 10:20 PM, Philipp Gesang <phg at phi-gamma.net>
>> wrote:
>> >
>> > > When passed the empty string, tprint() will allocate a zero-length
>> > > buffer and then branch on its first element (``if (*buffer) { … }``)
>> > > which has never been initialized.
>> > >
>> > > Prevent the invalid access by checking for the empty string and
>> skipping
>> > > the printing routine entirely if appropriate.
>> > >
>> > > Signed-off-by: Philipp Gesang <phg at phi-gamma.net>
>> > > ---
>> > >  source/texk/web2c/luatexdir/tex/printing.w | 6 +++++-
>> > >  1 file changed, 5 insertions(+), 1 deletion(-)
>> > >
>> > > diff --git a/source/texk/web2c/luatexdir/tex/printing.w
>> > > b/source/texk/web2c/luatexdir/tex/printing.w
>> > > index 478d55f..675fa45 100644
>> > > --- a/source/texk/web2c/luatexdir/tex/printing.w
>> > > +++ b/source/texk/web2c/luatexdir/tex/printing.w
>> > > @@ -367,6 +367,10 @@ void tprint(const char *sss)
>> > >      int newlinechar = int_par(new_line_char_code);
>> > >      int dolog = 0;
>> > >      int doterm = 0;
>> > > +    const size_t sss_len = strlen(sss);
>> > > +    if (sss_len == 0u) { /* nothing to print */
>> > > +        return;
>> > > +    }
>> > >      switch (selector) {
>> > >          case no_print:
>> > >              return;
>> > > @@ -413,7 +417,7 @@ void tprint(const char *sss)
>> > >      }
>> > >      /* what is left is the 3 term/log settings */
>> > >      if (dolog || doterm) {
>> > > -        buffer = xmalloc(strlen(sss)*3);
>> > > +        buffer = xmalloc(sss_len*3);
>> > >          if (dolog) {
>> > >              const unsigned char *ss = (const unsigned char *) sss;
>> > >              while (*ss) {
>> > > --
>> > > 2.8.0
>> > >
>> > >
>> > do you have an example that trigger the wrong sss string ?
>>
>> For one it happens if the function is called on the empty string.
>> Here’s a test file:
>>
>>     a\bye
>>
>> I use revision 5949. With the Plain loader from the pretest I
>> get:
>>
>>     $ valgrind --trace-children=yes mtxrun --script plain tprint-empty.tex
>>>>     ==3758== Conditional jump or move depends on uninitialised value(s)
>>     ==3758==    at 0x4D77BE: tprint (printing.w:431)
>>     ==3758==    by 0x4D7A69: tprint_nl (printing.w:471)
>>     ==3758==    by 0x4BC19F: write_out (extensions.w:533)
>>     ==3758==    by 0x5B6BA4: out_what (pdflistout.w:262)
>>     ==3758==    by 0x4BBBAF: do_extension (extensions.w:389)
>>     ==3758==    by 0x4BBDF0: do_extension (extensions.w:418)
>>     ==3758==    by 0x4C2298: run_extension (maincontrol.w:616)
>>     ==3758==    by 0x4C43C2: main_control (maincontrol.w:971)
>>     ==3758==    by 0x4C0BAB: main_body (mainbody.w:461)
>>     ==3758==    by 0x4892B5: main (luatex.c:498)
>>
>> Actually I just noticed that my patch is probably incorrect:
>> writeout invokes tprint_nl that way for the side effect of
>> popping a newline. The fix should thus be added further down
>> after that happened.
>>
>>
> ok, thank you for the report.
>
> --
> luigi
>

fixed (not exactly this one, because it's not an issue) in trunk &  beta
0.95.0

-- 
luigi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ntg.nl/pipermail/dev-luatex/attachments/20160422/d5dee198/attachment.htm>

More information about the dev-luatex mailing list