[tex-live] 1 byte Buffer Overflow in writet1.c / t1_builtin_enc()

Hanno Böck hanno at hboeck.de
Fri Jan 22 10:43:20 CET 2016


Hi,

By testing pdflatex with address sanitizer I discovered a buffer
overflow in the code in writet1.c in the function t1_builtin_enc().

It is in this line:
            if (sscanf(p, "dup %i%256s put", &i, t1_buf_array) == 2 &&

The problem is that t1_buf_array is exactly 256 bytes, that means it
can only hold a string of 255 bytes because of the zero-terminator byte
of the string.

I didn't easily find out where t1_buf_array gets allocated, but I think
changing this from %256s to %255s should fix the issue.

I find the structure of the tex-projects a bit confusing, so I'm not
entirely sure if this is the right place to report this. This file
appears twice in the texlive source I have here:
./texk/web2c/pdftexdir/writet1.c
./texk/dvipsk/writet1.c
and almost identical code appears here:
./texk/web2c/luatexdir/font/writet1.w

The code that gets triggered when running pdflatex (on a random,
trivial tex input file) is the one in pdftexdir. But I assume this
should be fixed in all instances where this code appears.

Attached is a patch.


This is the error message from Address Sanitizer:

==19735==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000007300 at pc 0x7f192f4f4772 bp 0x7ffe3011c0f0 sp 0x7ffe3011c098
WRITE of size 257 at 0x611000007300 thread T0
    #0 0x7f192f4f4771 (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24771)
    #1 0x7f192f4f4d95 in __interceptor___isoc99_vsscanf (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24d95)
    #2 0x7f192f4f4eaa in __interceptor___isoc99_sscanf (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x24eaa)
    #3 0x59f532 in t1_builtin_enc /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:840
    #4 0x59f532 in t1_subset_ascii_part /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:1320
    #5 0x5a0680 in writet1 /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writet1.c:1693
    #6 0x583197 in write_fontfile /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:406
    #7 0x583197 in write_fontdescriptor /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:462
    #8 0x5839a7 in write_fontdescriptors /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:518
    #9 0x585988 in writefontstuff /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/pdftexdir/writefont.c:595
    #10 0x465e36 in closefilesandterminate /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-core-2014_build/texk/web2c/pdftex0.c:39647
    #11 0x443296 in mainbody /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-core-2014_build/texk/web2c/pdftexini.c:5655
    #12 0x40530d in main /var/tmp/portage/app-text/texlive-core-2014-r4/work/texlive-20140525-source/texk/web2c/lib/texmfmp.c:906
    #13 0x7f192da037af in __libc_start_main (/lib64/libc.so.6+0x207af)
    #14 0x405758 in _start (/usr/bin/pdftex-texlive-core-2014+0x405758)

0x611000007300 is located 0 bytes to the right of 256-byte region [0x611000007200,0x611000007300)
allocated by thread T0 here:
    #0 0x7f192f5279e6 in __interceptor_realloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/libasan.so.1+0x579e6)
    #1 0x7f192e5d0dd9 in xrealloc (/usr/lib64/libkpathsea.so.6+0x28dd9)


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: texlive-fix-sscanf.diff
Type: text/x-patch
Size: 631 bytes
Desc: not available
URL: <http://tug.org/pipermail/tex-live/attachments/20160122/eb4ea1b4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://tug.org/pipermail/tex-live/attachments/20160122/eb4ea1b4/attachment-0001.bin>


More information about the tex-live mailing list