[Dev-luatex] Multiple issues with tprint

Hans Hagen j.hagen at xs4all.nl
Thu Mar 28 18:53:41 CET 2019


On 3/28/2019 3:57 PM, Marcel Kr├╝ger wrote:
> Hi,
> 
> there are multiple issues memory issues in tprint:
> 
> If the buffer passed to tprint only contains of to be escaped characters, the `xmalloc(strlen(sss)*3)` is too small: The final `\0` can not be written, so this causes a write into unallocated memory.
> If t_flush_buffer is called for such a buffer at the last position, there is an additional `\n` written, so `xmalloc(strlen(sss)*3+2)` is needed.
> 
> Additionally, the test `if (*buffer)` is used to test if there is something to print left. If the parameter is empty, `*buffer` is never written, so valgrind complains about `if (*buffer)` depending on uninitialized memory. Instead, `if (i)` can be used: `i` is the length of the written part of the buffer, so `i==0` iff there is nothing to write.
> 
> A related problem is with `max_print_line`:
> If the point where the line should be broken falls inside the escape sequence of an escaped character,
> the line limit is ignored.
> This can be fixed by adding
> 
>          if (term_offset+2>=max_print_line) {
>              wterm_cr();
>              term_offset=0;
>          }
> 
> as in `wterm_char` also in tprint above `buffer[i++] = '^';`.
> 
> A full patch fixing all three issues is attached.
Can you give a plain tex example where the fault happens? Normally the 
max line length kicks in (3 chars) before such an overflow.

(btw, nothing fundamental will change in the texlive code freeze frame)

Hans

-----------------------------------------------------------------
                                           Hans Hagen | PRAGMA ADE
               Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
        tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------


More information about the dev-luatex mailing list