Array overflow in plain_Label.asy

[jsonn]

While trying to prepare an update for asymptote in pkgsrc to the 2.35 release, I am hitting an overflow in https://github.com/vectorgraphics/asymptote/blob/master/base/plain_Label.asy#L670. The build finishes with an additional check of i < g.length.

I'm not sure that is correct. We still have a (local) patch for dealing with TEXMFLOCAL having more than one component, I don't know if that is related.

[charlesstaats]

Are you using version 9.16 (or later) of Ghostscript? If not, updating Ghostscript will probably solve the problem.

[jsonn]

We are defaulting to the last version of Ghostscript under GPL for the obviouos license complications the AGPL creates. As such, the default is 9.06 and updating is not considered a valid solution.

[charlesstaats]

To the best of my knowledge, only Asymptote versions <= 2.31 are compatible with Ghostscript 9.06. The current version of Asymptote actually tests for Ghostscript version >= 9.14, although the test does not seem to be reliable.

[johncbowman]

Can you enlighten us as to the not-so-obvious license reasons why upgrading Ghostscript is "not consider a valid solution" and who decided that? As Charles suggests, you could always downgrade both Ghostscript and Asymptote, but then you will not have the latest bug fixes and features in either software.

Adding the additional bounds check you suggest just ignores the problem, rather than fixing it. Many features, including 3D font support and others, will not work. We could make asy call gs --version and include the old driver support for obsolete versions of gs, but I don't yet see a convincing reason to justify the coding effort and future maintanence hassles.

[johncbowman]

According to http://www.ghostscript.com/download/gsdnld.html
the latest GPL release is gs-9.18. Version 9.14 has been around since Mar 2014.
I'm inclined to do nothing as the problem you report will eventually go away once everyone has got around to upgrading.

[jsonn]

Please note that they are exclusively talking about the AGPL on that page. The last GPL version is 9.06. The AGPL is a no-go in many commercial settings as it now extends all the GPLv3 restrictions even to internal applications and as usual, the boundary between what is legally a derived work and what the FSF believes it to be is quite unclear.

That said, the reason why I was originally looking at the update is that the older 2.15 version doesn't build either:

../base/graph.asy: 1153.15: Q8.4          
runtime: Cannot read label width

Full build log at http://ftp.netbsd.org/pub/pkgsrc/misc/joerg/20150827.1854/asymptote-2.15nb9/build.log

[johncbowman]

Ok, I addressed this request with 3cf0adc
which at least allows one to build a version of asy for out-of-date systems
by specifying make CFLAGS=-DEPSWRITE

[johncbowman]

In ab000e7
you simply need to set the environment variable ASYMPTOTE_EPSDRIVER to epswrite.