add a conditional statement to avoid fread size too big to coredump

[attackoncs]

The function ttfLoadHDMX uses the parsed hdmx size to allocate a Width heap buffer, copies content from the file, and the copy size is determined by numGlyphs. There is no validation of the actual memory size before storing it. Due to the controllable content and size, this could potentially lead to a heap overflow and result in arbitrary code execution.

[kberry]

Well, since you didn't answer my email, I made the fix of allocating the number of entries needed in the first place, namely numGlyphs+1. (r69520 upstream)

BTW, I don't understand why this is numGlyphs+1 and not numGlyphs, per https://developer.apple.com/fonts/TrueType-Reference-Manual/RM06/Chap6hdmx.html, but since the program has always read numGlyphs+1, just leaving it that way.

If you have an actual font that triggers the bug, please let me know. Thanks.

--- libttf/hdmx.c       (revision 69517)
+++ libttf/hdmx.c       (working copy)
@@ -43,7 +43,7 @@ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULO
        {
            hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
            hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
-           hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);
+           hdmx->Records[i].Width = XCALLOC (hdmx->numGlyphs+1, BYTE);
            fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp);
        }
 }

[vadimkantorov]

Sorry for abusing this PR's comment section to contact the maintainers of this mirror

mktexlsr.pl script is missing from https://github.com/TeX-Live/texlive-source/tree/trunk/texk/texlive/linked_scripts/texlive - there is available older shell script mktexlsr, but mktexlsr.pl is required in fmtutil.pl

It would be great to also put it under the version-control and mirror in Git.

[kberry]

I added mktexlsr.pl to linked_scripts. Thanks.

[vadimkantorov]

Please consider adding a Discussions section (or even Issues) section for this repo :), although I understand that it might be better to not open them if there are not enough people for answering these...

I made some successful efforts of writing TexLive makefiles for building and compiling to WebAssembly which might be interesting to upstream and adding to CI (at least, adding full build scripts to GitHub Actions would be nice, and GH CI is free and allows various Linuxes, Windows and some Mac - this is helpful for more reproducible builds and helping users to start contributing): https://tug.org/pipermail/tlbuild/2021q1/004806.html (some of issues from this email are solved, but some are still standing). Me and my friend are also making some efforts towards fully cross-platform Tex programs. We would be happy to be in contact with someone from the TexLive / Tex ecosystem to discuss these efforts and potentially upstreaming them :)

[norbusan]

@vadimkantorov Thanks for your comments, but please consider that this repo here is NOTHING BUT A MIRROR of the real one that is in SVN. It is here only because we want to do CI testing and release building, but it contains only a small part (the source part) of TeX Live. The full git mirror is 50+Gb which is not allowed by Github, bu you can look at https://git.texlive.info/

Discussion about bugs, builds, suggestions etc should happen on the main texlive mailing list, or on the dedicated tlbuild mailing list.

I am more than happy to get input from you about further CI build integrations. I have recently updated our CI builds to more architectures. I am more than happy to discuss/integrate more test!

[kberry]

Just to emphasize what Norbert said: The mailing lists are the place for discussion. In your case, probably tlbuild@tug.org related to building specifically, although the general tex-live@tug.org is also fine.