On 3/28/2019 3:57 PM, Marcel Krüger wrote:
Hi,
there are multiple issues memory issues in tprint:
If the buffer passed to tprint only contains of to be escaped characters, the
`xmalloc(strlen(sss)*3)` is too small: The final `\0` can not be written, so
this causes a write into unallocated memory.
If t_flush_buffer is called for such a buffer at the last position, there is an
additional `\n` written, so `xmalloc(strlen(sss)*3+2)` is needed.
Additionally, the test `if (*buffer)` is used to test if there is something to
print left. If the parameter is empty, `*buffer` is never written, so valgrind
complains about `if (*buffer)` depending on uninitialized memory. Instead, `if
(i)` can be used: `i` is the length of the written part of the buffer, so
`i==0` iff there is nothing to write.
A related problem is with `max_print_line`:
If the point where the line should be broken falls inside the escape sequence
of an escaped character,
the line limit is ignored.
This can be fixed by adding
if (term_offset+2>=max_print_line) {
wterm_cr();
term_offset=0;
}
as in `wterm_char` also in tprint above `buffer[i++] = '^';`.
A full patch fixing all three issues is attached.
Can you give a plain tex example where the fault happens? Normally the
max line length kicks in (3 chars) before such an overflow.
(btw, nothing fundamental will change in the texlive code freeze frame)
Hans
-----------------------------------------------------------------
Hans Hagen | PRAGMA ADE
Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------
_______________________________________________
dev-luatex mailing list
dev-luatex@ntg.nl
https://mailman.ntg.nl/mailman/listinfo/dev-luatex
