Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string
Package: texlive-binaries
Version: 2009-8
Severity: normal
File: /usr/bin/mpost
Tags: upstream patch fixed-upstream
mpost does some internal string corruption for the following construct:
===== oops.mp ======
def oops(expr arg) =
show arg;
enddef;
beginfig(0)
string blah;
blah:="blah/blah";
oops("first");
readfrom blah;
readfrom "doesnotexist";
oops("OK");
readfrom blah;
oops("OOPS");
readfrom blah;
readfrom "doesnotexist";
oops("OK again");
endfig;
end;
==========
$ mpost oops
This is MetaPost, version 1.208 (kpathsea version 5.0.0)
(./oops.mp
>> "first"
>> "OK"
>> "blah/OOPS"
>> "OK again" [0] )
1 output file written: oops.0
Transcript written on oops.log.
The actual script was much mor complicated and the currupted strings
were actually files - that did not exist.
I checked metapost upstream svn repository (not texlive which only
imports a release from time to time) at
http://foundry.supelec.fr/gf/project/metapost
After bisecting branch 1.2 I came up with revision 1401 which fixes that
problem: "fix bug #417: indirect readfrom makes a file path leak into the
read string", cherry picked patch attached.
http://foundry.supelec.fr/gf/project/metapost/scmsvn/?action=browse&path=%2Fbranches%2F1.2%2F&pathrev=1401
Unfortunately bug #417 is not publically viewable.
Another possibility would be to upgrade metapost from 1.208 to 1.212,
the last release from 1.2 branch. Commit 1401 was done between 1.211 and
1.212.
Andreas
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (800, 'stable'), (750, 'oldstable'), (700, 'testing'), (600, 'unstable'), (500, 'stable-updates'), (130, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages texlive-binaries depends on:
ii ed 1.4-3 The classic UNIX line editor
ii libc6 2.13-7 Embedded GNU C Library: Shared lib
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.6.0-10 GCC support library
ii libkpathsea5 2009-8 TeX Live: path search library for
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libpoppler5 0.12.4-1.2 PDF rendering library
ii libstdc++6 4.6.0-10 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxaw7 2:1.0.7-1 X11 Athena Widget library
ii libxmu6 2:1.0.5-2 X11 miscellaneous utility library
ii libxpm4 1:3.5.8-1 X11 pixmap library
ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library
ii perl 5.12.3-7+b1 Larry Wall's Practical Extraction
ii tex-common 2.08.1 common infrastructure for building
ii texlive-common 2009-11 TeX Live: Base component
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
texlive-binaries recommends no packages.
texlive-binaries suggests no packages.
-- no debconf information
------------------------------------------------------------------------
r1401 | taco | 2010-10-13 14:26:03 +0200 (Wed, 13 Oct 2010) | 2 lines
Changed paths:
M /branches/1.2/source/texk/web2c/mplibdir/mp.w
fix bug #417: indirect readfrom makes a file path leak into the read string
------------------------------------------------------------------------
Index: source/texk/web2c/mplibdir/mp.w
===================================================================
--- source/texk/web2c/mplibdir/mp.w (revision 1400)
+++ source/texk/web2c/mplibdir/mp.w (revision 1401)
@@ -16261,10 +16261,11 @@
@c
void mp_end_name (MP mp) {
- pool_pointer s; /* length of area, name, and extension */
+ pool_pointer s,orig; /* length of area, name, and extension */
unsigned int len;
/* "my/w.mp" */
s = mp->str_start[mp->str_ptr];
+ orig = s;
if ( mp->area_delimiter<0 ) {
mp->cur_area=xstrdup("");
} else {
@@ -16280,7 +16281,7 @@
len = (unsigned)(mp->ext_delimiter-s);
}
copy_pool_segment(mp->cur_name,s,len);
- mp->pool_ptr=s; /* don't need this partial string */
+ mp->pool_ptr=orig; /* don't need this partial string */
}
@ Conversely, here is a routine that takes three strings and prints a file
Reply to: