Skip to content
This repository has been archived by the owner on Mar 6, 2023. It is now read-only.

Commit

Permalink
fixed buffer overflow in mp.w (trunk)
Browse files Browse the repository at this point in the history 
git-svn-id: https://serveur-svn.lri.fr/svn/modhel/luatex/trunk@7059 0b2b3880-5936-4365-a048-eb17d2e5a6bf
  • Loading branch information
@luigiScarso
luigiScarso committed Jan 22, 2019
1 parent 49c7c10 commit c197d03
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 25 deletions.
2 changes: 1 addition & 1 deletion source/texk/web2c/luatexdir/luatex_svnversion.h
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
#define luatex_svn_revision 7055
#define luatex_svn_revision 7056
32 changes: 8 additions & 24 deletions source/texk/web2c/mplibdir/mp.w
View file
Original file line number Diff line number Diff line change
Expand Up @@ -756,7 +756,7 @@ defined.
@<Glob...@>=
integer bad; /* is some ``constant'' wrong? */

@ Later on we will say `|if ( int_packets+(17+3)*int_increment>bistack_size )mp->bad=19;|',
@ Later on we will say `|if ( int_packets+17*int_increment>bistack_size )mp->bad=19;|',
or something similar.

In case you are wondering about the non-consequtive values of |bad|: most
Expand Down Expand Up @@ -1253,6 +1253,9 @@ to the input buffer. The variable |command_line| will be filled by the
mp->term_in = (mp->open_file)(mp,"terminal", "r", mp_filetype_terminal);
if (mp->command_line!=NULL) {
mp->last = strlen(mp->command_line);
if (mp->last > (mp->buf_size+1)) {
mp_reallocate_buffer(mp,mp->last);
}
(void)memcpy((void *)mp->buffer,(void *)mp->command_line,mp->last);
xfree(mp->command_line);
} else {
Expand Down Expand Up @@ -4797,7 +4800,7 @@ double mp_get_numeric_value (MP mp, const char *s, size_t l) {
mp_loop_data *s;
s = mp->loop_ptr;
while (s != NULL && sym != s->var)
s = s->link;
s = mp->loop_ptr->link;
if (s != NULL && sym == s->var ){
mp_xfree (ss);
return number_to_double(s->old_value) ;
Expand Down Expand Up @@ -4857,7 +4860,7 @@ mp_knot mp_get_path_value (MP mp, const char *s, size_t l) {
char *ss = mp_xstrdup(mp,s);
if (ss) {
mp_sym sym = mp_id_lookup(mp,ss,l,false);
if (sym != NULL && sym->v.data.node != NULL) {
if (sym != NULL) {
if (mp_type(sym->v.data.node) == mp_path_type) {
mp_xfree (ss);
return (mp_knot) sym->v.data.node->data.p;
Expand Down Expand Up @@ -15680,7 +15683,7 @@ mp->bisect_stack = xmalloc ((bistack_size + 1), sizeof (mp_number));
xfree (mp->bisect_stack);

@ @<Check the ``constant''...@>=
if (int_packets + (17+2) * int_increment > bistack_size)
if (int_packets + 17 * int_increment > bistack_size)
mp->bad = 19;

@ Computation of the min and max is a tedious but fairly fast sequence of
Expand Down Expand Up @@ -15769,28 +15772,11 @@ and |(pp,mp_link(pp))|, respectively.
@c
static void mp_cubic_intersection (MP mp, mp_knot p, mp_knot pp) {
mp_knot q, qq; /* |mp_link(p)|, |mp_link(pp)| */
mp_number x_two_t; /* increment bit precision by x bit */
mp->time_to_go = max_patience;
set_number_from_scaled (mp->max_t, 2);
new_number (x_two_t);
number_clone (x_two_t,two_t);
number_double(x_two_t); number_double(x_two_t); /* add x=3 bit of precision */
number_double(x_two_t);
@<Initialize for intersections at level zero@>;
CONTINUE:
while (1) {
/* When we are in arbitrary precision math, low precisions can */
/* lead to acces locations beyond the stack_size: in this case */
/* we say that there is no intersection.*/
if ( ((x_packet (mp->xy))+4)>bistack_size ||
((u_packet (mp->uv))+4)>bistack_size ||
((y_packet (mp->xy))+4)>bistack_size ||
((v_packet (mp->uv))+4)>bistack_size ){
set_number_from_scaled (mp->cur_t, 1);
set_number_from_scaled (mp->cur_tt, 1);
goto NOT_FOUND;
}

if (number_to_scaled (mp->delx) - mp->tol <=
number_to_scaled (stack_max (x_packet (mp->xy))) - number_to_scaled (stack_min (u_packet (mp->uv))))
if (number_to_scaled (mp->delx) + mp->tol >=
Expand All @@ -15800,8 +15786,7 @@ CONTINUE:
if (number_to_scaled (mp->dely) + mp->tol >=
number_to_scaled (stack_min (y_packet (mp->xy))) - number_to_scaled (stack_max (v_packet (mp->uv)))) {
if (number_to_scaled (mp->cur_t) >= number_to_scaled (mp->max_t)) {
if (number_equal(mp->max_t, x_two_t)) { /* we've done 17+x bisections */
number_divide_int(mp->cur_t,1<<3);number_divide_int(mp->cur_tt,1<<3);
if (number_equal(mp->max_t, two_t)) { /* we've done 17 bisections */
set_number_from_scaled (mp->cur_t, ((number_to_scaled (mp->cur_t) + 1)/2));
set_number_from_scaled (mp->cur_tt, ((number_to_scaled (mp->cur_tt) + 1)/2));
return;
Expand All @@ -15816,7 +15801,6 @@ CONTINUE:
if (mp->time_to_go > 0) {
decr (mp->time_to_go);
} else {
number_divide_int(mp->appr_t,1<<3);number_divide_int(mp->appr_tt,1<<3);
while (number_less (mp->appr_t, unity_t)) {
number_double(mp->appr_t);
number_double(mp->appr_tt);
Expand Down

0 comments on commit c197d03

Please sign in to comment.