Bug#775348: catdvi: null pointer dereference

To: Jakub Wilk <jwilk@debian.org>, 775348@bugs.debian.org
Subject: Bug#775348: catdvi: null pointer dereference
From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 5 Nov 2024 23:40:14 +0100
Message-id: <[🔎] ZyqeznZtSJ_pstqG@hjemme.reinholdtsen.name>
Reply-to: Petter Reinholdtsen <pere@hungry.com>, 775348@bugs.debian.org
In-reply-to: <20150114144132.GA5040@jwilk.net>
References: <20150114144132.GA5040@jwilk.net> <20150114144132.GA5040@jwilk.net>

The provided file give this output when running under valgrind:

==1516973== Memcheck, a memory error detector
==1516973== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==1516973== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==1516973== Command: ./catdvi crash.dvi
==1516973== 
unknown font encoding `' for family `', reverting to `TEX TEXT'
Glyph does not exist in font
Glyph does not exist in font
Glyph does not exist in font
Glyph does not exist in font
==1516973== Invalid read of size 1
==1516973==    at 0x10DD6D: font_char_depth (fontinfo.c:515)
==1516973==    by 0x11095A: output_glyph (readdvi.c:149)
==1516973==    by 0x110C55: process_file (readdvi.c:203)
==1516973==    by 0x10C7CA: main (catdvi.c:251)
==1516973==  Address 0x1 is not stack'd, malloc'd or (recently) free'd
==1516973== 
==1516973== 
==1516973== Process terminating with default action of signal 11 (SIGSEGV)
==1516973==  Access not within mapped region at address 0x1
==1516973==    at 0x10DD6D: font_char_depth (fontinfo.c:515)
==1516973==    by 0x11095A: output_glyph (readdvi.c:149)
==1516973==    by 0x110C55: process_file (readdvi.c:203)
==1516973==    by 0x10C7CA: main (catdvi.c:251)
==1516973==  If you believe this happened as a result of a stack
==1516973==  overflow in your program's main thread (unlikely but
==1516973==  possible), you can try to increase the size of the
==1516973==  main thread stack using the --main-stacksize= flag.
==1516973==  The main thread stack size used in this run was 8388608.
==1516973== 
==1516973== HEAP SUMMARY:
==1516973==     in use at exit: 3,193,046 bytes in 120,573 blocks
==1516973==   total heap usage: 191,797 allocs, 71,224 frees, 8,686,188 bytes allocated
==1516973== 
==1516973== LEAK SUMMARY:
==1516973==    definitely lost: 5,847 bytes in 336 blocks
==1516973==    indirectly lost: 493 bytes in 33 blocks
==1516973==      possibly lost: 0 bytes in 0 blocks
==1516973==    still reachable: 3,186,706 bytes in 120,204 blocks
==1516973==         suppressed: 0 bytes in 0 blocks
==1516973== Rerun with --leak-check=full to see details of leaked memory
==1516973== 
==1516973== For lists of detected and suppressed errors, rerun with: -s
==1516973== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

My guess is that this is related to bogus font information in the dvi
file, and insufficient input validation in catdvi.

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Prev by Date: Processing of catdvi_0.14-16_source.changes
Next by Date: convlit_1.8-7_source.changes ACCEPTED into unstable
Previous by thread: Processing of catdvi_0.14-16_source.changes
Next by thread: convlit_1.8-7_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread