Package: texlive-bin / 2016.20160513.41080.dfsg-2+deb9u1

svn48697-writet1-fix Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
commit 14d7b5de88141dcad88c533d740a467fee83b573
Author: Norbert Preining <norbert@preining.info>
Date:   Tue Sep 18 11:07:55 2018 +0900

    writet1 protection against buffer overflow

---
 texk/dvipsk/ChangeLog               |    5 +++++
 texk/dvipsk/writet1.c               |    2 ++
 texk/web2c/luatexdir/ChangeLog      |    5 +++++
 texk/web2c/luatexdir/font/writet1.w |    2 ++
 texk/web2c/pdftexdir/ChangeLog      |    5 +++++
 texk/web2c/pdftexdir/writet1.c      |    2 ++
 6 files changed, 21 insertions(+)

--- texlive-bin.orig/texk/dvipsk/ChangeLog
+++ texlive-bin/texk/dvipsk/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Nick Roessler  <nicholas.e.roessler@gmail.com>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2016-12-13  Akira Kakuto  <kakuto@fuk.kindai.ac.jp>
 
 	* emspecial.c: Fix a bug in emspecial(), reported by Norbert Klingen:
--- texlive-bin.orig/texk/dvipsk/writet1.c
+++ texlive-bin/texk/dvipsk/writet1.c
@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring(
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }
--- texlive-bin.orig/texk/web2c/luatexdir/ChangeLog
+++ texlive-bin/texk/web2c/luatexdir/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Nick Roessler  <nicholas.e.roessler@gmail.com>
+
+	* fonts/writet1.w (t1_check_unusual_charstring): protect against
+	buffer overflow.
+
 2015-11-01  Akira Kakuto  <kakuto@fuk.kindai.ac.jp>
 
 	* luatex.c: Improve a little (w32 only).
--- texlive-bin.orig/texk/web2c/luatexdir/font/writet1.w
+++ texlive-bin/texk/web2c/luatexdir/font/writet1.w
@@ -1625,7 +1625,9 @@ static void t1_check_unusual_charstring(
     if (sscanf(p, "%i", &i) != 1) {
         strcpy(t1_buf_array, t1_line_array);
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }
--- texlive-bin.orig/texk/web2c/pdftexdir/ChangeLog
+++ texlive-bin/texk/web2c/pdftexdir/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Nick Roessler  <nicholas.e.roessler@gmail.com>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2017-03-29  Akira Kakuto  <kakuto@fuk.kindai.ac.jp>
 
 	* writepng.c: Fix the size of memory to allocate when writing
--- texlive-bin.orig/texk/web2c/pdftexdir/writet1.c
+++ texlive-bin/texk/web2c/pdftexdir/writet1.c
@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring(
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }