Bug#534641: mendex bug
Hi Norbert, hi all,
> +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x))
OK, I recognize 'BUFFERLEN-strlen(x)' is always plus.
Even when buffer is full, strlen(x) become BUFFERLEN-1,
because buffer includes '\0'.
Sorry. Please forget my previous mail.
I'll attach my test source.
-- Thank you,
Nobuyuki Tsuchimura
From: TSUCHIMURA Nobuyuki
Subject: [ptex:00357] Re: mendex bug
Date: Sun, 8 Sep 2013 16:15:58 +0900
Message-ID: <20130908161558k.tutim...@nn.iij4u.or.jp>
> Hi Norbert, hi all,
>
> -#define TAIL(x) (x+strlen(x))
> +#define TAIL(x) ((x)+strlen(x))
>
> It was my fault. Thank you for correcting.
>
> +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x))
>
> Nice idea.
> I'm not sure but I'm wandering if snprintf()
> can handle negative (minus) length or not.
>
>int snprintf(char *str, size_t size, const char *format, ...);
>
> 'size_t' should be unsigned?
>
> Regards,
> Nobuyuki Tsuchimura
>
>
> From: Norbert Preining
> Subject: [ptex:00356] Re: mendex bug
> Date: Sun, 8 Sep 2013 10:59:19 +0900
> Message-ID: <20130908015919.ga20...@gamma.logic.tuwien.ac.at>
>
> > Hi Karl, hi all,
> >
> > On Sa, 07 Sep 2013, Karl Berry wrote:
> > > #define TAIL(x) (x+strlen(x))
> >
> > Done, fixed patch attached: mendex-bugfix
> >
> > > In general, shouldn't snprintf be used to avoid the whole potential of
> > > buffer overrun?
> >
> > Done that for fwrite.c, but there are other cases in the source.
> > Patch for fwrite.c attached, on top of the prvious: mendex-snprintf
> >
> > If anyone can comment on that (review) that would be great, especially
> > the definition of
> > TAIL_LEN(x)
> > (returning two argumetns, the pointer and the remaining length, for
> > the first two arguments of snprintf).
> >
> > Thanks
> >
> > Norbert
> >
> >
> > PREINING, Norbert http://www.preining.info
> > JAIST, Japan TeX Live & Debian Developer
> > DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
> >
>
#include
#include
#include
#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x))
#define BUFFERLEN 25
int snprintfcat(char *str, size_t size, const char *format, ...) {
int n, len;
va_list ap;
len = strlen(str);
if (len >= size) return -1;
printf("size-len=%d\n", size-len);
va_start(ap, format);
n = vsnprintf(str+len, size-len, format, ap);
va_end(ap);
return n;
}
int main() {
char dummy1[25];
char buff[25];
char dummy2[25];
printf("TAIL_LEN\n");
snprintf(buff, sizeof(buff), "%s", "1234567890");
puts(buff);
snprintf(TAIL_LEN(buff), "%s", "1234567890");
puts(buff);
snprintf(TAIL_LEN(buff), "%s", "1234567890");
puts(buff);
snprintf(TAIL_LEN(buff), "%s", "1234567890");
puts(buff);
printf("\nsnprintfcat\n");
snprintf(buff, sizeof(buff), "%s", "1234567890");
puts(buff);
snprintfcat(buff, sizeof(buff), "%s", "1234567890");
puts(buff);
snprintfcat(buff, sizeof(buff), "%s", "1234567890");
puts(buff);
snprintfcat(buff, sizeof(buff), "%s", "1234567890");
puts(buff);
return 0;
}
Bug#534641: mendex bug
Hi Norbert, hi all, -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) It was my fault. Thank you for correcting. +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) Nice idea. I'm not sure but I'm wandering if snprintf() can handle negative (minus) length or not. int snprintf(char *str, size_t size, const char *format, ...); 'size_t' should be unsigned? Regards, Nobuyuki Tsuchimura From: Norbert Preining Subject: [ptex:00356] Re: mendex bug Date: Sun, 8 Sep 2013 10:59:19 +0900 Message-ID: <20130908015919.ga20...@gamma.logic.tuwien.ac.at> > Hi Karl, hi all, > > On Sa, 07 Sep 2013, Karl Berry wrote: > > #define TAIL(x) (x+strlen(x)) > > Done, fixed patch attached: mendex-bugfix > > > In general, shouldn't snprintf be used to avoid the whole potential of > > buffer overrun? > > Done that for fwrite.c, but there are other cases in the source. > Patch for fwrite.c attached, on top of the prvious: mendex-snprintf > > If anyone can comment on that (review) that would be great, especially > the definition of > TAIL_LEN(x) > (returning two argumetns, the pointer and the remaining length, for > the first two arguments of snprintf). > > Thanks > > Norbert > > > PREINING, Norbert http://www.preining.info > JAIST, Japan TeX Live & Debian Developer > DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Hi Karl, hi all,
On Sa, 07 Sep 2013, Karl Berry wrote:
> #define TAIL(x) (x+strlen(x))
Done, fixed patch attached: mendex-bugfix
> In general, shouldn't snprintf be used to avoid the whole potential of
> buffer overrun?
Done that for fwrite.c, but there are other cases in the source.
Patch for fwrite.c attached, on top of the prvious: mendex-snprintf
If anyone can comment on that (review) that would be great, especially
the definition of
TAIL_LEN(x)
(returning two argumetns, the pointer and the remaining length, for
the first two arguments of snprintf).
Thanks
Norbert
PREINING, Norbert http://www.preining.info
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
fix a bug in mendex when range ops and macros are used (Closes: #534641)
---
texk/mendexk/ChangeLog |9 +
texk/mendexk/fwrite.c |5 ++---
2 files changed, 11 insertions(+), 3 deletions(-)
--- texlive-bin.orig/texk/mendexk/ChangeLog
+++ texlive-bin/texk/mendexk/ChangeLog
@@ -1,3 +1,12 @@
+2013-09-08 Norbert Preining
+
+ * fwrite.c: properly parenthesis TAIL macro
+
+2013-09-07 Norbert Preining
+
+ * fwrite.c: fix missing output when range operators are
+ used with macro definitions
+
2012-11-19 Peter Breitenlohner
* Makefile.am: Avoid use of deprecated INCLUDES.
--- texlive-bin.orig/texk/mendexk/fwrite.c
+++ texlive-bin/texk/mendexk/fwrite.c
@@ -15,7 +15,7 @@
static void linecheck(char *lbuff, char *tmpbuff);
static void crcheck(char *lbuff, FILE *fp);
-#define TAIL(x) (x+strlen(x))
+#define TAIL(x) ((x)+strlen(x))
/* if we don't have vsnprintf() */
/* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */
@@ -384,8 +384,7 @@
ind.p[j].enc++;
}
if (strlen(ind.p[j].enc)>0) {
-
sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix);
-
sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n);
+
sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n);
linecheck(lbuff,tmpbuff);
}
}
---
texk/mendexk/ChangeLog |1
texk/mendexk/fwrite.c | 103 +
2 files changed, 54 insertions(+), 50 deletions(-)
--- texlive-bin.orig/texk/mendexk/ChangeLog
+++ texlive-bin/texk/mendexk/ChangeLog
@@ -1,6 +1,7 @@
2013-09-08 Norbert Preining
* fwrite.c: properly parenthesis TAIL macro
+ * fwrite.c: replace sprintf with snprintf
2013-09-07 Norbert Preining
--- texlive-bin.orig/texk/mendexk/fwrite.c
+++ texlive-bin/texk/mendexk/fwrite.c
@@ -10,12 +10,15 @@
int line_length=0;
+#define BUFFERLEN 4096
+
static void printpage(struct index *ind, FILE *fp, int num, char *lbuff);
static int range_check(struct index ind, int count, char *lbuff);
static void linecheck(char *lbuff, char *tmpbuff);
static void crcheck(char *lbuff, FILE *fp);
#define TAIL(x) ((x)+strlen(x))
+#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x))
/* if we don't have vsnprintf() */
/* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */
@@ -67,7 +70,7 @@
void indwrite(char *filename, struct index *ind, int pagenum)
{
int i,j,hpoint=0;
- char datama[256],lbuff[4096];
+ char datama[256],lbuff[BUFFERLEN];
FILE *fp;
if (filename[0]!='\0' && kpse_out_name_ok(filename))
fp=fopen(filename,"wb");
@@ -99,7 +102,7 @@
fprintf(fp,"%s%s%s",lethead_prefix,symhead_negative,lethead_suffix);
}
}
- sprintf(lbuff,"%s%s",item_0,ind[i].idx[0]);
+ snprintf(lbuff, BUFFERLEN,
"%s%s",item_0,ind[i].idx[0]);
}
else if (alphabet(ind[i].dic[0][0])) {
if (lethead_flag>0) {
@@ -108,7 +111,7 @@
else if (lethead_flag<0) {
fprintf(fp,"%s%c%s",lethead_prefix,ind[i].dic[0][0]+32,lethead_suffix);
}
- sprintf(lbuff,"%s%s",item_0,ind[i].idx[0]);
+ snprintf(lbuff, BUFFERLEN,
"%s%s",item_0,ind[i].idx[0]);
}
else
Bug#534641: mendex bug
On Sa, 07 Sep 2013, Karl Berry wrote: > As you know, it was part of the general Japanese-TeX import into TL, so > I suppose you and Akira are :), with the rest of us chipping in as > necessary. > > Please apply whatever patch you see fit. Ok, will do that. > #define TAIL(x) (x+strlen(x)) > > The first x on the RHS should be parenthesized, as a matter of general > programming practice: > ((x)+strlen(x)) Ok, wil ldo that, too. > > > sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); > > In general, shouldn't snprintf be used to avoid the whole potential of > buffer overrun? I will take a look at it and see if I can get rid of some of those. Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live & Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
I am not sure who is currently maintaining mendex, As you know, it was part of the general Japanese-TeX import into TL, so I suppose you and Akira are :), with the rest of us chipping in as necessary. Please apply whatever patch you see fit. #define TAIL(x) (x+strlen(x)) The first x on the RHS should be parenthesized, as a matter of general programming practice: ((x)+strlen(x)) > sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? karl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Dear all,
I hope there is still someone listening.
Since quite some time there is a bug in mendex.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534641
Easy to reproduce:
With the following idx file:
\indexentry{foo|(}{1}
\indexentry{foo|mac}{1}
\indexentry{foo|)}{1}
mendex produces
...
\item foo, 1}, 1
...
instead of
...
\item foo, \mac{1}, 1
...
I looked through the current sources in TeX Live and found that
in fwrite.c, function range_check:
if (strlen(ind.p[j].enc)>0) {
sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix);
sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n);
linecheck(lbuff,tmpbuff);
}
that looks suspicious. The tmpbuff is overwritten on the second
incantation, and in fact the
encap_prefix(which is \)
ind.p[j].enc(which is the macro name)
encap_infix (which is {)
are missing from the output.
So my guess is that the correct version would be to have
sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n);
instead.
And indeed, with that change the output is as expected.
Checking the differences I see that the *reverse change* was introduced
between 2.6c and 2.6d. So till 2.6c the above line was there.
I am not sure who is currently maintaining mendex, but I would
suggest to fix it as lined out above.I attach a patch against
current TeX Live sources (as far as I see).
Norbert
PREINING, Norbert http://www.preining.info
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
diff --git a/texk/mendexk/ChangeLog b/texk/mendexk/ChangeLog
index fe87113..571bc64 100644
--- a/texk/mendexk/ChangeLog
+++ b/texk/mendexk/ChangeLog
@@ -1,3 +1,8 @@
+2013-09-07 Norbert Preining
+
+ * fwrite.c: fix missing output when range operators are
+ used with macro definitions
+
2012-11-19 Peter Breitenlohner
* Makefile.am: Avoid use of deprecated INCLUDES.
diff --git a/texk/mendexk/fwrite.c b/texk/mendexk/fwrite.c
index 8c18782..bc5a0ec 100644
--- a/texk/mendexk/fwrite.c
+++ b/texk/mendexk/fwrite.c
@@ -384,8 +384,7 @@ static int range_check(struct index ind, int count, char *lbuff)
ind.p[j].enc++;
}
if (strlen(ind.p[j].enc)>0) {
- sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix);
- sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n);
+ sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n);
linecheck(lbuff,tmpbuff);
}
}
