Bug#247848: tetex-bin: xdvi: large numerical prefixes lead to integer overflow

To: Debian Bug Tracking System <maintonly@bugs.debian.org>
Subject: Bug#247848: tetex-bin: xdvi: large numerical prefixes lead to integer overflow
From: Matt Swift <swift@alum.mit.edu>
Date: Fri, 07 May 2004 09:40:12 -0400
Message-id: <[🔎] 87ad0kcq4j.fsf@beth.swift.xxx>
Reply-to: Matt Swift <swift@alum.mit.edu>, 247848-maintonly@bugs.debian.org

Package: tetex-bin
Version: 2.0.2-10
Severity: minor

If you press enough digits in the xdvi window, the "int" variable
holding the sequence of digits interpreted as a number overflows
(rolls over into negatives).  I don't see that this is a very
important bug to fix, but it is an easy bug to fix, for someone who
knows the right C library magic thing like INT_MAX or whatever.

There is a header in kpathsea called c-minmax.h that may be the right
thing to use.

In any case, I don't have the full fix, but I have a fix in
pseudocode, if someone else figures out how to define the portable C
MAXINT magical constant.


(Hi Stefan -- yes, this problem is still there in xdvi 22.82.1-cvs1.
The code from the Debian version quoted below is only slightly
different: no "static" number and no #if TOOLKIT.  I submit the bug to
Debian because I hope a Debian person can supply the part I don't know
how to write and submit a real patch upstream.)


for reference from texk/xdvik/events.c:

    static int number = 0;
    
[..........]

    static
    ACTION(Act_digit)
    {
        unsigned int digit;
        UNUSED(w);
        UNUSED(event);

    #if TOOLKIT
        if (*num_params != 1 || (digit = **params - '0') > 9) {
            XBell(DISP, 10);
            return;
        }
    #else
        digit = keychar - '0';
    #endif
        have_arg = True;
        number = number * 10 + digit;
        print_statusline(STATUS_SHORT, "numerical prefix: %s%d\n", sign < 0 ? "-" : "", number);
    }

To fix:

Suppose that the constant MAXINT is the maximum integer that the
variable 'number' can hold, determined in some magic way that I don't
know.

Then define constants (or if necessary, variables of the same size as
'number' or larger):

  MAXINT_QUOT := (MAXINT / 10)
  MAXINT_MOD  := (MAXINT % 10)

(To be pedantic, note critical assumption that MAXINT>=10  :)  )

Then within the Act_digit() function, in place of the simple assignment to 'number':

  if (  (number <  MAXINT_QUOT) || \
       ((number == MAXINT_QUOT) && (digit <= MAXINT_MOD)) ) {
    number = number * 10 + digit;
  }
  else {
    number = MAXINT;  /* maybe not wise because not what the user requested */
    WARNING_NUMBER_HAS_GOTTEN_TOO_LARGE();
  }

I have not checked the above code carefully for off-by-one errors at
boundary conditions!  I think it's OK if MAXINT is the largest
positive _value_ that an "int" can hold, i.e., OK to say
"int x=MAXINT;", i.e., total number of distinct values for an "int"
variable (like "number" here) is 2*MAXINT+1 (positives, negatives, and
0).


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-beth.4
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages tetex-bin depends on:
ii  debconf                     1.4.22       Debian configuration management sy
ii  debianutils                 2.8.1        Miscellaneous utilities specific t
ii  dpkg                        1.10.20      Package maintenance system for Deb
ii  ed                          0.2-20       The classic unix line editor
ii  libc6                       2.3.2.ds1-12 GNU C Library: Shared libraries an
ii  libgcc1                     1:3.3.3-6    GCC support library
ii  libice6                     4.3.0-7      Inter-Client Exchange library
ii  libkpathsea3                2.0.2-10     path search library for teTeX (run
ii  libpaper1                   1.1.14       Library for handling paper charact
ii  libpng12-0                  1.2.5.0-6    PNG library - runtime
ii  libsm6                      4.3.0-7      X Window System Session Management
ii  libstdc++5                  1:3.3.3-6    The GNU Standard C++ Library v3
ii  libt1-5                     5.0.2-0pre1  Type 1 font rasterizer library - r
ii  libwww0                     5.4.0-9      The W3C WWW library
ii  libx11-6                    4.3.0-7      X Window System protocol client li
ii  libxaw7                     4.3.0-7      X Athena widget set library
ii  libxext6                    4.3.0-7      X Window System miscellaneous exte
ii  libxmu6                     4.3.0-7      X Window System miscellaneous util
ii  libxt6                      4.3.0-7      X Toolkit Intrinsics
ii  mime-support                3.26-1       MIME files 'mime.types' & 'mailcap
ii  perl                        5.8.3-3      Larry Wall's Practical Extraction 
ii  sed                         4.0.9-2      The GNU sed stream editor
ii  tetex-base                  2.0.2-6      Basic library files of teTeX
ii  xlibs                       4.3.0-7      X Window System client libraries m
ii  zlib1g                      1:1.2.1-5    compression library - runtime

-- debconf information:
* tetex-bin/hyphen: 
  tetex-bin/oldcfg: true
* tetex-bin/upd_map: true
  tetex-bin/cnf_name: 
* tetex-bin/fmtutil: true
* tetex-bin/use_debconf: true
* tetex-bin/groupname: users
* tetex-bin/userperm: false
* tetex-bin/groupperm: true
* tetex-bin/lsr-perms: true
* tetex-bin/texmf: true

Reply to:

Follow-Ups:
- Bug#247848: tetex-bin: xdvi: large numerical prefixes lead to integer overflow
  - From: Stefan Ulrich <stefan-ulrich.nntp@zen.co.uk>

Prev by Date: Bug#74862: tetex-bin: makeindex does not like DOS line-endings
Next by Date: Bug#236246: seems to be gone
Previous by thread: Bug#247785: marked as done (tetex-bin: xdvi: patch to add zoom in/out)
Next by thread: Bug#247848: tetex-bin: xdvi: large numerical prefixes lead to integer overflow
Index(es):
- Date
- Thread