[Dev-luatex] [PATCH] printing.w: prevent OOB read from zero-length buffer

Philipp Gesang phg at phi-gamma.net
Thu Apr 21 22:20:52 CEST 2016


When passed the empty string, tprint() will allocate a zero-length
buffer and then branch on its first element (``if (*buffer) { … }``)
which has never been initialized.

Prevent the invalid access by checking for the empty string and skipping
the printing routine entirely if appropriate.

Signed-off-by: Philipp Gesang <phg at phi-gamma.net>
---
 source/texk/web2c/luatexdir/tex/printing.w | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/texk/web2c/luatexdir/tex/printing.w b/source/texk/web2c/luatexdir/tex/printing.w
index 478d55f..675fa45 100644
--- a/source/texk/web2c/luatexdir/tex/printing.w
+++ b/source/texk/web2c/luatexdir/tex/printing.w
@@ -367,6 +367,10 @@ void tprint(const char *sss)
     int newlinechar = int_par(new_line_char_code);
     int dolog = 0;
     int doterm = 0;
+    const size_t sss_len = strlen(sss);
+    if (sss_len == 0u) { /* nothing to print */
+        return;
+    }
     switch (selector) {
         case no_print:
             return;
@@ -413,7 +417,7 @@ void tprint(const char *sss)
     }
     /* what is left is the 3 term/log settings */
     if (dolog || doterm) {
-        buffer = xmalloc(strlen(sss)*3);
+        buffer = xmalloc(sss_len*3);
         if (dolog) {
             const unsigned char *ss = (const unsigned char *) sss;
             while (*ss) {
-- 
2.8.0



More information about the dev-luatex mailing list