Bug#447081: buffer overflow in dvips -

To: tex-live@tug.org, Karl Berry <karl@tug.org>
Cc: Bastien ROUCARIES <bastien.roucaries@enseeiht.fr>, 447081@bugs.debian.org
Subject: Bug#447081: buffer overflow in dvips -
From: Norbert Preining <preining@logic.at>
Date: Sun, 21 Oct 2007 13:22:19 +0200
Message-id: <[🔎] 20071021112219.GB30193@gamma.logic.tuwien.ac.at>
Reply-to: Norbert Preining <preining@logic.at>, 447081@bugs.debian.org

Dear Karl, dear all!

Bastien Roucaries has found that dvips -z segfaults on amd64 with very
long href entries, example:

\documentclass{article}
usepackage[hypertex]{hyperref}
\href{/XXXX/XXXXXXX/XXX/XXXXX/XXXXXXXXXXXXXXX/XXXXXXX/XXXXXXXXXXXXXXXXX/XXX XXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXX XXXXX XXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}{solot}
\end{document}

This does NOT happen on i386, but I can confirm the segfault on amd64.

Bastien found a place that could be the problem:

----- Forwarded message from Bastien ROUCARIES <bastien.roucaries@enseeiht.fr> -----

[...]

> Found bug do not know how to patch using debian system...
> 
> File hpc.c
> ---------------------------
> void stamp_hps P1C(Hps_link *, pl)
> {
>   char tmpbuf[200] ;         /*    <------- POTENTIAL BUG HERE malloc(strlen(pl->title)+200) safer */
>   if (pl == NULL) {

[...]

> /* For external URL's, we just pass them through as a string. The hyperps
>  * interpreter can then do what is wants with them.
>  */
> void stamp_external P2C(char *, s, Hps_link *, pl) 
> {
>   char tmpbuf[200]; /*      BUG BUG HERE use malloc(strlen(s)+200) */
>   if (pl == NULL) {

[...]

----- End forwarded message -----


Furthermore, he created a patch for hps.c which at least on his computer
fixes the problem (I couldn't try it till now).

----- Forwarded message from Bastien ROUCARIES <bastien.roucaries@enseeiht.fr> -----

[...]

> Ok with this patch dvips -z doesn't crash anymore :-)
> 
> Regards Bastien
> 
> PS: Feel free to add it, it so trivial that I give you as public domain 
> code...

----- End forwarded message -----

I attach this patch. 


Could you or anyone else please take a look at this, give your comments
(please leave the Cc on list, especially the Debian bug report).

Thanks a lot and all the best

Norbert

-------------------------------------------------------------------------------
Dr. Norbert Preining <preining@logic.at>        Vienna University of Technology
Debian Developer <preining@debian.org>                         Debian TeX Group
gpg DSA: 0x09C5B094      fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
-------------------------------------------------------------------------------
TIDPIT (n.)
The corner of a toenail from which satisfying little black deposits
may be sprung.
			--- Douglas Adams, The Meaning of Liff

--- hps.c.old	2006-01-17 22:41:51.000000000 +0100
+++ hps.c	2007-10-19 18:22:47.000000000 +0200
@@ -441,19 +441,32 @@
 
 void stamp_hps P1C(Hps_link *, pl)
 {
-  char tmpbuf[200] ;
+  char * tmpbuf;
   if (pl == NULL) {
     error("Null pointer, oh no!") ;
     return ;
-  } else {
-    /* print out the proper pdfm with local page info only 
-     *  target info will be in the target dictionary */
-    (void)sprintf(tmpbuf, 
-		  " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
-		  pl->color[0], pl->color[1], pl->color[2]) ;
-    cmdout(tmpbuf) ; 
-  }
+  } 
+  if(pl->title == NULL) {
+    error("Null pointer, oh no!") ;
+    return ;
+  } 
+
+  tmpbuf = (char *) malloc(strlen(pl->title)+200);
+  if(tmpbuf == NULL) {
+    error("out of memory, oh no!") ;
+    return ;
+  } 
+
+  /* print out the proper pdfm with local page info only 
+   *  target info will be in the target dictionary */
+  (void)sprintf(tmpbuf, 
+		" (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", 
+		pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+		pl->color[0], pl->color[1], pl->color[2]) ;
+  cmdout(tmpbuf) ; 
+  free(tmpbuf);
+  
   
 }
 
@@ -462,18 +475,31 @@
  */
 void stamp_external P2C(char *, s, Hps_link *, pl) 
 {
-  char tmpbuf[200];
+  char *tmpbuf;
   if (pl == NULL) {
     error("Null pointer, oh no!") ;
     return ;
-  } else {
-    /* print out the proper pdfm with local page info only 
-     *  target info will be in the target dictionary */
-    (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
-		  pl->color[0], pl->color[1], pl->color[2], s) ;
-    cmdout(tmpbuf) ;
-  }
+  } 
+
+  if (s == NULL) {
+    error("Null pointer, oh no!") ;
+    return ;
+  } 
+
+  tmpbuf = (char *) malloc(strlen(s) + 200);
+  if(tmpbuf == NULL) {
+    error("out of memory, oh no!") ;
+    return ;
+  } 
+
+  /* print out the proper pdfm with local page info only 
+   *  target info will be in the target dictionary */
+  (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ",
+		pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+		pl->color[0], pl->color[1], pl->color[2], s) ;
+  cmdout(tmpbuf) ;
+  free(tmpbuf);
 }
 
 void finish_hps P1H(void) {

Reply to:

Follow-Ups:
- Bug#447081: [tex-live] buffer overflow in dvips -
  - From: karl@freefriends.org (Karl Berry)
- Bug#447081: buffer overflow in dvips -
  - From: Bastien ROUCARIES <bastien.roucaries@enseeiht.fr>

Prev by Date: Re: [LCFC] templates://tex-common/{templates}
Next by Date: Re: Bug#445797: fixed in libcaca 0.99.beta12.debian-3
Previous by thread: Processed: Re: Bug#447081: Patch
Next by thread: Bug#447081: [tex-live] buffer overflow in dvips -
Index(es):
- Date
- Thread