Buffer overflow on axohelp

Semmle Security Reports security-reports at semmle.com
Thu Jul 18 15:09:03 CEST 2019

Dear text-live team,

I would like to report a security vulnerability in your axohelp.

There is a buffer overflow on the way axohelp handle the .ax1 files.

On the DoOneObject function, there is an unsecure sprintf being used which
could end on a memory corruption.

int DoOneObject(char *cinput)
    int num, i, num1, num2;
    char *s, *t, *StartClean;
    double *argbuf = 0;
    s = cinput; while ( *s != '[' ) s++;
    s++; t = s; while ( *t != ']' ) t++;
    *t++ = 0; while ( *t == ' ' || *t == '\t' || *t == '\n' ) t++;
    outpos = outputbuffer;
    outpos += sprintf(outpos,"\\axo at setObject{%s}%%\n{%s%c}%%\n{",s,t,TERMCHAR);
    if ( *s == '0' && s[1] == ']' ) {

If a line is being sent bigger than the size of  outputbuffer  (1000000),
the overflow will happend. I have attached an example file compress, so you
could test it yourself.

$ axohelp POC.ax1

Please let me know when you have fixed the vulnerability so that I can
coordinate my disclosure with yours. For reference, here is a link to
Semmle's vulnerability disclosure policy:

Thank you,

Nico Waisman

Semmle Security Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20190718/bfbe281f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: POC_stack_overflow.ax1.gz
Type: application/gzip
Size: 4807 bytes
Desc: not available
URL: <https://tug.org/pipermail/tex-live/attachments/20190718/bfbe281f/attachment.gz>

More information about the tex-live mailing list