[texlive-bin] 01/01: cherrypick upstream svn43637 (Closes: #796490)

To: debian-tex-maint@lists.debian.org
Subject: [texlive-bin] 01/01: cherrypick upstream svn43637 (Closes: #796490)
From: Norbert Preining <preining@debian.org>
Date: Thu, 30 Mar 2017 01:45:39 +0000
Message-id: <[🔎] E1ctP9f-0002vz-Ah@moszumanska.debian.org>
Reply-to: Norbert Preining <preining@debian.org>
In-reply-to: <[🔎] 20170330014500.9971.97836@moszumanska.debian.org>
References: <[🔎] 20170330014500.9971.97836@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

preining pushed a commit to branch master
in repository texlive-bin.

commit 77fd3947331fc5601d05be0a3ee9432d6bb76576
Author: Norbert Preining <preining@debian.org>
Date:   Thu Mar 30 10:06:26 2017 +0900

    cherrypick upstream svn43637 (Closes: #796490)
    
    When embedding png images with alpha channel, pdftex did embed
    twice as much memory and left the second half uninitialized.
    Thanks to David Fifield for research and fix.
---
 debian/changelog                                   |  9 +++
 debian/patches/series                              |  1 +
 ...-pdftex-dont-embed-unitialized-memory-png-alpha | 93 ++++++++++++++++++++++
 3 files changed, 103 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c3a553f..1c1f82a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+texlive-bin (2016.20160513.41080.dfsg-2) unstable; urgency=medium
+
+  * cherrypick upstream svn43637 (Closes: #796490)
+    When embedding png images with alpha channel, pdftex did embed
+    twice as much memory and left the second half uninitialized.
+    Thanks to David Fifield for research and fix.
+
+ -- Norbert Preining <preining@debian.org>  Thu, 30 Mar 2017 10:02:29 +0900
+
 texlive-bin (2016.20160513.41080.dfsg-1) unstable; urgency=medium
 
   * new upstream repackaging:
diff --git a/debian/patches/series b/debian/patches/series
index 8a4a518..c698cd3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@ upstream-svn42803-dvipdfmx-cid-font-info
 #update-mplibdir-luatex1
 #update-luatexdir-luatex1
 teckit-dont-build-sfconv
+upstream-svn43637-pdftex-dont-embed-unitialized-memory-png-alpha
diff --git a/debian/patches/upstream-svn43637-pdftex-dont-embed-unitialized-memory-png-alpha b/debian/patches/upstream-svn43637-pdftex-dont-embed-unitialized-memory-png-alpha
new file mode 100644
index 0000000..36ecd03
--- /dev/null
+++ b/debian/patches/upstream-svn43637-pdftex-dont-embed-unitialized-memory-png-alpha
@@ -0,0 +1,93 @@
+Fixes for reproducible build caused by embedding
+unintialized memory into the resulting pdf file.
+
+Analysis by David Fifield
+I think I found the cause of this bug. It's a bug in pdfTeX that results
+in uninitialized memory being copied to the output file. I have reported
+the bug upstream:
+        https://www.tug.org/pipermail/pdftex/2017-March/009100.html
+
+The function write_png_rgb_alpha allocates twice as much memory as is
+necessary for the smask buffer. The second half of the buffer is left
+uninitialized and the whole buffer is copied to the output PDF file. It
+only arises with PNG images that have an alpha channel. (I suppose
+optipng removes the alpha channel when possible, which is why it made
+the problem go away.)
+
+I think the bug is in texk/web2c/pdftexdir/writepng.c, where a "/ 2"
+should be "/ 4"; i.e., 1 in 4 bytes is an alpha byte:
+    smask_size = (png_get_rowbytes(png_ptr(img), png_info(img)) / 2)
+                 * png_get_image_height(png_ptr(img), png_info(img));
+Interestingly, texk/web2c/luatexdir/image/writepng.w gets it right:
+    smask_size = (int) ((png_get_rowbytes(png_p, info_p) / 4) * png_get_image_height(png_p, info_p));
+
+Reproduction instructions:
+1. (optional) Install texlive-binaries-dbgsym (for line numbers in
+   valgrind output).
+     sudo sh -c 'echo "deb http://debug.mirrors.debian.org/debian-debug/ stretch-debug main" > /etc/apt/sources.list.d/debian-debug.list'
+     sudo apt-get update
+     sudo apt-get install texlive-binaries-dbgsym
+2. Run valgrind and see errors.
+     valgrind pdflatex ownCloudClientManual.tex
+   Note that the valgrind stack trace says write_png_gray_alpha, not
+   write_png_rgb_alpha, probably as an artifact of optimization.
+
+==13526== Conditional jump or move depends on uninitialised value(s)
+==13526==    at 0x4C300D3: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==13526==    by 0x506E425: ??? (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x506EE67: ??? (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x506FE53: deflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x199F99: writezip (writezip.c:71)
+==13526==    by 0x15215C: pdfflush.part.39 (pdftex0.c:18943)
+==13526==    by 0x18FA1D: write_png_rgb_alpha (writepng.c:381)
+==13526==    by 0x18FA1D: write_png (writepng.c:662)
+==13526==    by 0x18A836: writeimage (writeimg.c:370)
+==13526==    by 0x16BB78: zpdfwriteimage (pdftex0.c:22285)
+==13526==    by 0x16D794: zpdfshipout (pdftex0.c:24722)
+==13526==    by 0x17F65C: maincontrol (pdftex0.c:38501)
+==13526==    by 0x12F5B9: mainbody (pdftexini.c:5656)
+==13526==
+==13526== Conditional jump or move depends on uninitialised value(s)
+==13526==    at 0x4C301EB: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==13526==    by 0x506E425: ??? (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x506EE67: ??? (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x506FE53: deflate (in /lib/x86_64-linux-gnu/libz.so.1.2.8)
+==13526==    by 0x199F99: writezip (writezip.c:71)
+==13526==    by 0x15215C: pdfflush.part.39 (pdftex0.c:18943)
+==13526==    by 0x18FA1D: write_png_rgb_alpha (writepng.c:381)
+==13526==    by 0x18FA1D: write_png (writepng.c:662)
+==13526==    by 0x18A836: writeimage (writeimg.c:370)
+==13526==    by 0x16BB78: zpdfwriteimage (pdftex0.c:22285)
+==13526==    by 0x16D794: zpdfshipout (pdftex0.c:24722)
+==13526==    by 0x17F65C: maincontrol (pdftex0.c:38501)
+==13526==    by 0x12F5B9: mainbody (pdftexini.c:5656)
+.. more ..
+
+---
+ texk/web2c/pdftexdir/ChangeLog  |    6 ++++++
+ texk/web2c/pdftexdir/writepng.c |    2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- texlive-bin.orig/texk/web2c/pdftexdir/ChangeLog
++++ texlive-bin/texk/web2c/pdftexdir/ChangeLog
+@@ -1,3 +1,9 @@
++2017-03-29  Akira Kakuto  <kakuto@fuk.kindai.ac.jp>
++
++	* writepng.c: Fix the size of memory to allocate when writing
++	SMask in write_png_rgb_alpha. Reported by David Fifield:
++	http://tug.org/pipermail/pdftex/2017-March/009100.html.
++
+ 2016-07-16  Akira Kakuto  <kakuto@fuk.kindai.ac.jp>
+ 
+ 	* pdftoepdf.cc: Use zround(stemV->getNum()) instead of stemV->getInt()
+--- texlive-bin.orig/texk/web2c/pdftexdir/writepng.c
++++ texlive-bin/texk/web2c/pdftexdir/writepng.c
+@@ -335,7 +335,7 @@
+     pdfcreateobj(0, 0);
+     smask_objnum = objptr;
+     pdf_printf("/SMask %i 0 R\n", (int) smask_objnum);
+-    smask_size = (png_get_rowbytes(png_ptr(img), png_info(img)) / 2)
++    smask_size = (png_get_rowbytes(png_ptr(img), png_info(img)) / 4)
+                  * png_get_image_height(png_ptr(img), png_info(img));
+     smask = xtalloc(smask_size, png_byte);
+     pdfbeginstream();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-tex/texlive-bin.git

Reply to:

References:
- [texlive-bin] branch master updated (0d1a907 -> 77fd394)
  - From: Norbert Preining <preining@debian.org>

Prev by Date: [texlive-bin] branch master updated (0d1a907 -> 77fd394)
Next by Date: Processing of texlive-bin_2016.20160513.41080.dfsg-2_amd64.changes
Previous by thread: [texlive-bin] branch master updated (0d1a907 -> 77fd394)
Next by thread: Processing of texlive-bin_2016.20160513.41080.dfsg-2_amd64.changes
Index(es):
- Date
- Thread