[Dev-luatex] [PATCH] printing.w: prevent OOB read from zero-length buffer

luigi scarso luigi.scarso at gmail.com
Fri Apr 22 07:41:11 CEST 2016


On Thu, Apr 21, 2016 at 10:20 PM, Philipp Gesang <phg at phi-gamma.net> wrote:

> When passed the empty string, tprint() will allocate a zero-length
> buffer and then branch on its first element (``if (*buffer) { … }``)
> which has never been initialized.
>
> Prevent the invalid access by checking for the empty string and skipping
> the printing routine entirely if appropriate.
>
> Signed-off-by: Philipp Gesang <phg at phi-gamma.net>
> ---
>  source/texk/web2c/luatexdir/tex/printing.w | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/source/texk/web2c/luatexdir/tex/printing.w
> b/source/texk/web2c/luatexdir/tex/printing.w
> index 478d55f..675fa45 100644
> --- a/source/texk/web2c/luatexdir/tex/printing.w
> +++ b/source/texk/web2c/luatexdir/tex/printing.w
> @@ -367,6 +367,10 @@ void tprint(const char *sss)
>      int newlinechar = int_par(new_line_char_code);
>      int dolog = 0;
>      int doterm = 0;
> +    const size_t sss_len = strlen(sss);
> +    if (sss_len == 0u) { /* nothing to print */
> +        return;
> +    }
>      switch (selector) {
>          case no_print:
>              return;
> @@ -413,7 +417,7 @@ void tprint(const char *sss)
>      }
>      /* what is left is the 3 term/log settings */
>      if (dolog || doterm) {
> -        buffer = xmalloc(strlen(sss)*3);
> +        buffer = xmalloc(sss_len*3);
>          if (dolog) {
>              const unsigned char *ss = (const unsigned char *) sss;
>              while (*ss) {
> --
> 2.8.0
>
>
do you have an example that trigger the wrong sss string ?

-- 
luigi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ntg.nl/pipermail/dev-luatex/attachments/20160422/d739b838/attachment.html>


More information about the dev-luatex mailing list