[tex-live] TL2016: Stack smashed in upmendex fprint_uchar() function

Dr. Werner Fink werner at suse.de
Tue Jun 14 18:35:50 CEST 2016


during test I've seen a catched stack smash done by glibc fortify.
It seems that in texk/upmendex/fwrite.c the function fprint_uchar()
will be overflowed by the UChar inital array in indwrite()

  UChar datama[256],initial[INITIALLENGTH],initial_prev[INITIALLENGTH];



as the macro INITIALLENGTH had shown 18 members during debugging whereas
in the original fprint_uchar() only 5 members are handled

  static void fprint_uchar(FILE *fp, const UChar *a, const int mode, const int len)
          int k;
          char str[15], *ret;
          UChar istr[5];
          int olen, wclen;
          UErrorCode perr;
          if (len<0) {
                  for (k=0; a[k] || k<4; k++) istr[k]=a[k];
          } else {
                  wclen = is_surrogate_pair(a) ? 2 : 1;
                  if (wclen==2) istr[1]=a[1];
          ^^^^^^^^^^^^^^^^^^  Stack smash

maybe the macro INITIALLENGTH has other values for other builds as this
crash only happens on a view build environments here around ;)


  "Having a smoking section in a restaurant is like having
          a peeing section in a swimming pool." -- Edward Burr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x
Type: text/x-patch
Size: 652 bytes
Desc: Patch
URL: <http://tug.org/pipermail/tex-live/attachments/20160614/f425acf0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://tug.org/pipermail/tex-live/attachments/20160614/f425acf0/attachment-0001.bin>

More information about the tex-live mailing list