From df02f9912b8d7228b463a100a6970f37ab44a88e Mon Sep 17 00:00:00 2001 From: Andreas Scherer Date: Mon, 17 Jul 2023 15:15:21 +0000 Subject: [PATCH] [C/WEB] Deal with malign user input. 'break_out' and 'flush_buffer' were tricked into putting an extremely long TeX macro (longer than 'line_length', i.e., 80 chars) into 'out_buf', which overflowed. This, of course, would wreak havoc, both in the TeX output and in the runtime system. See https://tug.org/pipermail/tex-live/2023-July/049306.htm for the initial bug report. git-svn-id: svn://tug.org/texlive/trunk/Build/source@67656 c570f23f-e606-0410-a88d-b1316a301751 --- texk/web2c/ChangeLog | 4 ++++ texk/web2c/cwebdir/ChangeLog | 4 ++++ texk/web2c/cwebdir/cweave.w | 6 +++--- texk/web2c/weave.ch | 15 +++++++++++++++ 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/texk/web2c/ChangeLog b/texk/web2c/ChangeLog index 06a24f2a4d..2cdc40a1a2 100644 --- a/texk/web2c/ChangeLog +++ b/texk/web2c/ChangeLog @@ -1,3 +1,7 @@ +2023-07-17 Andreas Scherer + + * weave.ch: Deal with malign user input. + 2023-07-09 Andreas Scherer * cwebboot.cin: Regenerate boot source. diff --git a/texk/web2c/cwebdir/ChangeLog b/texk/web2c/cwebdir/ChangeLog index 564d570c49..fa92f4560a 100644 --- a/texk/web2c/cwebdir/ChangeLog +++ b/texk/web2c/cwebdir/ChangeLog @@ -1,3 +1,7 @@ +2023-07-17 Andreas Scherer + + * cweave.w: Deal with malign user input. + 2023-07-16 Andreas Scherer * ctwill-mini.ch, diff --git a/texk/web2c/cwebdir/cweave.w b/texk/web2c/cwebdir/cweave.w index 3f92f12c82..dbdfa3c029 100644 --- a/texk/web2c/cwebdir/cweave.w +++ b/texk/web2c/cwebdir/cweave.w @@ -1443,8 +1443,8 @@ to overflow. To make this routine a little faster, we initialize position out_buf[0]='\\'; @ A long line is broken at a blank space or just before a backslash that isn't -preceded by another backslash. In the latter case, a |'%'| is output at -the break. +preceded by another backslash or a \TeX\ comment marker. In the latter case, a +|'%'| is output at the break. @c static void @@ -1456,7 +1456,7 @@ break_out(void) /* finds a way to break the output line */ if (*k==' ') { flush_buffer(k,false,true); return; } - if (*(k--)=='\\' && *k!='\\') { /* we've decreased |k| */ + if (*(k--)=='\\' && *k!='\\' && *k!='%') { /* we've decreased |k| */ flush_buffer(k,true,true); return; } } diff --git a/texk/web2c/weave.ch b/texk/web2c/weave.ch index 024fbbc207..136fc89d27 100644 --- a/texk/web2c/weave.ch +++ b/texk/web2c/weave.ch @@ -325,6 +325,21 @@ begin if no_xref then return; if (reserved(p)or(byte_start[p]+1=byte_start[p+ww]))and @z +@x [127] see https://tug.org/pipermail/tex-live/2023-July/049306.htm +preceded by another backslash. In the latter case, a |"%"| is output at +the break. +@y +preceded by another backslash or a \TeX\ comment marker. In the latter case, a +|'%'| is output at the break. +@z + +@x [127] deal with malign user input + if (d="\")and(out_buf[k-1]<>"\") then {in this case |k>1|} +@y + if (d="\")and(out_buf[k-1]<>"\")and(out_buf[k-1]<>"%") then + {in this case |k>1|} +@z + @x [148] Purify 'reduce' and 'squash'. @d production(#)==@!debug prod(#) gubed; goto found @d reduce(#)==red(#); production