[C/WEB] Deal with malign user input.

'break_out' and 'flush_buffer' were tricked into putting an extremely long TeX macro (longer than 'line_length', i.e., 80 chars) into 'out_buf', which overflowed. This, of course, would wreak havoc, both in the TeX output and in the runtime system. See https://tug.org/pipermail/tex-live/2023-July/049306.htm for the initial bug report. git-svn-id: svn://tug.org/texlive/trunk/Build/source@67656 c570f23f-e606-0410-a88d-b1316a301751
TeX-Live · Jul 17, 2023 · df02f99 · df02f99
1 parent 256a29c
commit df02f99
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/texk/web2c/ChangeLog b/texk/web2c/ChangeLog
@@ -1,3 +1,7 @@
+2023-07-17  Andreas Scherer  <https://ascherer.github.io>
+
+	* weave.ch: Deal with malign user input.
+
 2023-07-09  Andreas Scherer  <https://ascherer.github.io>
 
 	* cwebboot.cin: Regenerate boot source.

diff --git a/texk/web2c/cwebdir/ChangeLog b/texk/web2c/cwebdir/ChangeLog
@@ -1,3 +1,7 @@
+2023-07-17  Andreas Scherer  <https://ascherer.github.io>
+
+	* cweave.w: Deal with malign user input.
+
 2023-07-16  Andreas Scherer  <https://ascherer.github.io>
 
 	* ctwill-mini.ch,

diff --git a/texk/web2c/cwebdir/cweave.w b/texk/web2c/cwebdir/cweave.w
@@ -1443,8 +1443,8 @@ to overflow. To make this routine a little faster, we initialize position
 out_buf[0]='\\';
 
 @ A long line is broken at a blank space or just before a backslash that isn't
-preceded by another backslash. In the latter case, a |'%'| is output at
-the break.
+preceded by another backslash or a \TeX\ comment marker. In the latter case, a
+|'%'| is output at the break.
 
 @c
 static void
@@ -1456,7 +1456,7 @@ break_out(void) /* finds a way to break the output line */
     if (*k==' ') {
       flush_buffer(k,false,true); return;
     }
-    if (*(k--)=='\\' && *k!='\\') { /* we've decreased |k| */
+    if (*(k--)=='\\' && *k!='\\' && *k!='%') { /* we've decreased |k| */
       flush_buffer(k,true,true); return;
     }
   }

diff --git a/texk/web2c/weave.ch b/texk/web2c/weave.ch
@@ -325,6 +325,21 @@ begin if no_xref then return;
 if (reserved(p)or(byte_start[p]+1=byte_start[p+ww]))and
 @z
 
+@x [127] see https://tug.org/pipermail/tex-live/2023-July/049306.htm
+preceded by another backslash. In the latter case, a |"%"| is output at
+the break.
+@y
+preceded by another backslash or a \TeX\ comment marker. In the latter case, a
+|'%'| is output at the break.
+@z
+
+@x [127] deal with malign user input
+  if (d="\")and(out_buf[k-1]<>"\") then {in this case |k>1|}
+@y
+  if (d="\")and(out_buf[k-1]<>"\")and(out_buf[k-1]<>"%") then
+    {in this case |k>1|}
+@z
+
 @x [148] Purify 'reduce' and 'squash'.
 @d production(#)==@!debug prod(#) gubed; goto found
 @d reduce(#)==red(#); production