[tex-live] buffer overflow in dvips -

Norbert Preining preining at logic.at
Sun Oct 21 13:22:19 CEST 2007 

Dear Karl, dear all!

Bastien Roucaries has found that dvips -z segfaults on amd64 with very
long href entries, example:

\documentclass{article}
usepackage[hypertex]{hyperref}
\href{/XXXX/XXXXXXX/XXX/XXXXX/XXXXXXXXXXXXXXX/XXXXXXX/XXXXXXXXXXXXXXXXX/XXX XXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXX XXXXX XXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}{solot}
\end{document}

This does NOT happen on i386, but I can confirm the segfault on amd64.

Bastien found a place that could be the problem:

----- Forwarded message from Bastien ROUCARIES <bastien.roucaries at enseeiht.fr> -----

[...]

> Found bug do not know how to patch using debian system...
> 
> File hpc.c
> ---------------------------
> void stamp_hps P1C(Hps_link *, pl)
> {
>   char tmpbuf[200] ;         /*    <------- POTENTIAL BUG HERE malloc(strlen(pl->title)+200) safer */
>   if (pl == NULL) {

[...]

> /* For external URL's, we just pass them through as a string. The hyperps
>  * interpreter can then do what is wants with them.
>  */
> void stamp_external P2C(char *, s, Hps_link *, pl) 
> {
>   char tmpbuf[200]; /*      BUG BUG HERE use malloc(strlen(s)+200) */
>   if (pl == NULL) {

[...]

----- End forwarded message -----


Furthermore, he created a patch for hps.c which at least on his computer
fixes the problem (I couldn't try it till now).

----- Forwarded message from Bastien ROUCARIES <bastien.roucaries at enseeiht.fr> -----

[...]

> Ok with this patch dvips -z doesn't crash anymore :-)
> 
> Regards Bastien
> 
> PS: Feel free to add it, it so trivial that I give you as public domain 
> code...

----- End forwarded message -----

I attach this patch. 


Could you or anyone else please take a look at this, give your comments
(please leave the Cc on list, especially the Debian bug report).

Thanks a lot and all the best

Norbert

-------------------------------------------------------------------------------
Dr. Norbert Preining <preining at logic.at>        Vienna University of Technology
Debian Developer <preining at debian.org>                         Debian TeX Group
gpg DSA: 0x09C5B094      fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
-------------------------------------------------------------------------------
TIDPIT (n.)
The corner of a toenail from which satisfying little black deposits
may be sprung.
			--- Douglas Adams, The Meaning of Liff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overflow.patch
Type: text/x-diff
Size: 2749 bytes
Desc: not available
Url : http://tug.org/pipermail/tex-live/attachments/20071021/9f13e449/attachment.bin

More information about the tex-live mailing list