writet1.(c,w) of dvips, pdftex, luatex: protect against buffer overflow

norbusan · norbusan · commit f1211fe16c19 · 2018-09-17T23:55:58.000Z
git-svn-id: svn://tug.org/texlive/branches/branch2018/Build/source@48688 c570f23f-e606-0410-a88d-b1316a301751
diff --git a/texk/dvipsk/ChangeLog b/texk/dvipsk/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Norbert Preining  <preining@logic.at>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2018-04-14  Karl Berry  <karl@tug.org>
 
 	* Version 5.998 for TeX Live 2018 release.
diff --git a/texk/dvipsk/writet1.c b/texk/dvipsk/writet1.c
@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring(void)
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }
diff --git a/texk/web2c/luatexdir/ChangeLog b/texk/web2c/luatexdir/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Norbert Preining  <preining@logic.at>
+
+	* fonts/writet1.w (t1_check_unusual_charstring): protect against 
+	buffer overflow.
+
 2017-11-02 Luigi Scarso <luigi.scarso@gmail.com>
 	LuaFilesystem 1.7.0
 
diff --git a/texk/web2c/luatexdir/font/writet1.w b/texk/web2c/luatexdir/font/writet1.w
@@ -1625,7 +1625,9 @@ static void t1_check_unusual_charstring(void)
     if (sscanf(p, "%i", &i) != 1) {
         strcpy(t1_buf_array, t1_line_array);
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }
diff --git a/texk/web2c/pdftexdir/ChangeLog b/texk/web2c/pdftexdir/ChangeLog
@@ -1,3 +1,8 @@
+2018-09-18  Norbert Preining  <preining@logic.at>
+
+	* writet1.c (t1_check_unusual_charstring): protect against buffer
+	overflow.
+
 2018-04-14  Karl Berry  <karl@tug.org>
 
 	* TeX Live 2018 release, pdftex 1.40.19.
diff --git a/texk/web2c/pdftexdir/writet1.c b/texk/web2c/pdftexdir/writet1.c
@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring(void)
         *(strend(t1_buf_array) - 1) = ' ';
 
         t1_getline();
+        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcat(t1_buf_array, t1_line_array);
+        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
         strcpy(t1_line_array, t1_buf_array);
         t1_line_ptr = eol(t1_line_array);
     }

Original file line number	Diff line number	Diff line change
`@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring(void)`
`1449`	`1449`	`*(strend(t1_buf_array) - 1) = ' ';`
`1450`	`1450`
`1451`	`1451`	`t1_getline();`
	`1452`	`+ alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);`
`1452`	`1453`	`strcat(t1_buf_array, t1_line_array);`
	`1454`	`+ alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);`
`1453`	`1455`	`strcpy(t1_line_array, t1_buf_array);`
`1454`	`1456`	`t1_line_ptr = eol(t1_line_array);`
`1455`	`1457`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring(void)`
`1598`	`1598`	`*(strend(t1_buf_array) - 1) = ' ';`
`1599`	`1599`
`1600`	`1600`	`t1_getline();`
	`1601`	`+ alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);`
`1601`	`1602`	`strcat(t1_buf_array, t1_line_array);`
	`1603`	`+ alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);`
`1602`	`1604`	`strcpy(t1_line_array, t1_buf_array);`
`1603`	`1605`	`t1_line_ptr = eol(t1_line_array);`
`1604`	`1606`	`}`