[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#147976: marked as forwarded (Dvips has a string allocation bug in papersize handling (patch included))

Your message dated Fri, 13 Jun 2003 09:57:37 +0200
with message-id <20030613075737.GA6347@preusse-16223.user.cis.dfn.de>
has caused the Debian Bug report #147976,
regarding Dvips has a string allocation bug in papersize handling (patch included)
to be marked as having been forwarded to the upstream software
author(s) tex-k@mail.tug.org.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

---------------------------------------
Received: (at 147976-forwarded) by bugs.debian.org; 13 Jun 2003 08:45:13 +0000
>From hille42@web.de Fri Jun 13 03:45:04 2003
Return-path: <hille42@web.de>
Received: from smtp02.web.de (smtp.web.de) [217.72.192.151] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 19QkBD-0008T6-00; Fri, 13 Jun 2003 03:45:03 -0500
Received: from [213.7.204.132] (helo=preusse-16223.user.cis.dfn.de)
	by smtp.web.de with asmtp (WEB.DE 4.98 #232)
	id 19QkBA-0005v3-00; Fri, 13 Jun 2003 10:45:00 +0200
Received: by preusse-16223.user.cis.dfn.de (Postfix, from userid 1000)
	id 723C64769; Fri, 13 Jun 2003 09:57:37 +0200 (CEST)
Date: Fri, 13 Jun 2003 09:57:37 +0200
From: Hilmar Preusse <hille42@web.de>
To: tex-k@mail.tug.org
Cc: 147976-forwarded@bugs.debian.org
Subject: (fwd) Dvips has a string allocation bug in papersize handling (patch included)
Message-ID: <20030613075737.GA6347@preusse-16223.user.cis.dfn.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Organization: Hilmar Preusse Inc.
X-Uptime: 09:50:39 up 35 days,  2:15,  3 users,  load average: 1.05, 1.03, 1.00
X-Operating-System: Linux 2.4.20 i686
X-www.distributed.net: OGR: 45 packets (7439.50 stats units) [2.36 Mnodes/s]
X-Confirmation-Request: yes
X-Confirm-Reading-To: "Hilmar Preusse" <hille42@web.de>
Sender: hille42@web.de
Delivered-To: 147976-forwarded@bugs.debian.org
X-Spam-Status: No, hits=-17.4 required=4.0
	tests=BAYES_30,FROM_ENDS_IN_NUMS,HAS_PACKAGE,PATCH_UNIFIED_DIFF,
	      USER_AGENT_MUTT
	autolearn=ham version=2.53-bugs.debian.org_2003_06_10
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_06_10 (1.174.2.15-2003-03-30-exp)

Hi,

This is said to be the bug-report address of dvips. We've got two
bugs in the Debian Bug Tracking system, which seems to be the same
and still present in latest dvips.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=147976
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196113

Comments, hints, remarks?

----- Forwarded message from Kevin Buhr <buhr@telus.net> -----

From: Kevin Buhr <buhr@telus.net>
To: submit@bugs.debian.org
Subject: Dvips has a string allocation bug in papersize handling (patch included)
Date: 23 May 2002 18:13:06 -0700
Message-ID: <87g00ibb6l.fsf@saurus.asaurus.invalid>

Package: tetex-bin
Version: 1.0.7+20011202-7

Dvips (at least in Woody) has a string allocation bug that will
cause it to produce bad PostScript in some circumstances.  A patch is
included below.

The paper size specifications in the Dvips configuration file may
include "@+" lines giving PostScript code to be sent to the printer
for that paper size.  Dvips fails to correctly null-terminate this
code string when there are no "@+" lines associated with a particular
specification.  For example, given the specifications:

        @ letterSize 8.5in 11in

        @ A4size 210mm 297mm
        @+ %%PaperSize: A4

Dvips will allocate a single byte for the empty PostScript code for
the "letterSize" specification but will fail to null-terminate the
string.

In the event this location was not already null, Dvips will write
the next string in the string pool, in this case "A4size", into the
PostScript file, like so:

        %%BeginSetup
        %%Feature: *Resolution 600dpi
        TeXDict begin
>>>     A4size

        %%EndSetup

It is a peculiarity of the Dvips code that the first character of the
PostScript code is ignored, which is why the bad non-null byte,
whatever it is, is not actually output.

Also, note that the string pool is *usually* mostly null when Dvips
gets underway, so in practice the bug is rarely observed.  I've run
into it only a handful of times, and it was highly sensitive to the
exact size of my set of environment strings, for example.

The following patch fixes the problem.

Kevin Buhr <buhr@telus.net>

                        *       *       *

diff -ru tetex-bin-1.0.7+20011202~/texk/dvipsk/resident.c tetex-bin-1.0.7+20011202/texk/dvipsk/resident.c
--- tetex-bin-1.0.7+20011202~/texk/dvipsk/resident.c    Thu Nov  1 11:27:45 2001
+++ tetex-bin-1.0.7+20011202/texk/dvipsk/resident.c     Thu May 23 17:28:19 2002
@@ -496,7 +496,7 @@
             handlepapersize(p, &hsiz, &vsiz) ;
             ps->xsize = hsiz ;
             ps->ysize = vsiz ;
-            ps->specdat = nextstring++ ;
+            *(ps->specdat = nextstring++) = '\0' ;
             canaddtopaper = 1 ;
          }
          break ;
----- End forwarded message -----

Regards,
  Hilmar
-- 
sigmentation fault
Reply to: