Possible SEGV (null pointer deref) in writet1.c
Karl Berry
karl at freefriends.org
Sat Aug 26 22:55:54 CEST 2023
There seems to be a possible SEGV (null pointer dereference) in
texk/web2c/pdftexdir/writet1.c
Thanks much for the detailed report. I installed the fix below (pdftex
r910, texlive r68069). Let me know if you see problems, please.
It looked like the same problem would apply to the other sscanf
"parsing" that's happening, so I did the same for them. I wouldn't be at
all surprised if there are bugs lurking in parsing of invalid files, pfb
or otherwise.
Thanks again,
Karl
--- writet1.c (revision 909)
+++ writet1.c (working copy)
@@ -841,7 +841,10 @@
*t1_buf_array == '/' && valid_code(i)) {
if (strcmp(t1_buf_array + 1, notdef) != 0)
glyph_names[i] = xstrdup(t1_buf_array + 1);
- p = strstr(p, " put") + strlen(" put");
+ p = strstr(p, " put");
+ if (!p)
+ pdftex_fail("invalid pfb, no put found in dup");
+ p += strlen(" put");
skip(p, ' ');
}
/*
@@ -850,7 +853,10 @@
else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2
&& valid_code(a) && valid_code(b)) {
copy_glyph_names(glyph_names, a, b);
- p = strstr(p, " get put") + strlen(" get put");
+ p = strstr(p, " get put");
+ if (!p)
+ pdftex_fail("invalid pfb, no get put found in dup dup");
+ p += strlen(" get put");
skip(p, ' ');
}
/*
@@ -861,7 +867,10 @@
&& valid_code(a) && valid_code(b) && valid_code(c)) {
for (i = 0; i < c; i++)
copy_glyph_names(glyph_names, a + i, b + i);
- p = strstr(p, " putinterval") + strlen(" putinterval");
+ p = strstr(p, " putinterval");
+ if (!p)
+ pdftex_fail("invalid pfb, no putinterval found in dup dup");
+ p += strlen(" putinterval");
skip(p, ' ');
}
/*
More information about the tex-live
mailing list.