Bug#534641: mendex bug
Hi Norbert, hi all, > +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) OK, I recognize 'BUFFERLEN-strlen(x)' is always plus. Even when buffer is full, strlen(x) become BUFFERLEN-1, because buffer includes '\0'. Sorry. Please forget my previous mail. I'll attach my test source. -- Thank you, Nobuyuki Tsuchimura From: TSUCHIMURA Nobuyuki Subject: [ptex:00357] Re: mendex bug Date: Sun, 8 Sep 2013 16:15:58 +0900 Message-ID: <20130908161558k.tutim...@nn.iij4u.or.jp> > Hi Norbert, hi all, > > -#define TAIL(x) (x+strlen(x)) > +#define TAIL(x) ((x)+strlen(x)) > > It was my fault. Thank you for correcting. > > +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) > > Nice idea. > I'm not sure but I'm wandering if snprintf() > can handle negative (minus) length or not. > >int snprintf(char *str, size_t size, const char *format, ...); > > 'size_t' should be unsigned? > > Regards, > Nobuyuki Tsuchimura > > > From: Norbert Preining > Subject: [ptex:00356] Re: mendex bug > Date: Sun, 8 Sep 2013 10:59:19 +0900 > Message-ID: <20130908015919.ga20...@gamma.logic.tuwien.ac.at> > > > Hi Karl, hi all, > > > > On Sa, 07 Sep 2013, Karl Berry wrote: > > > #define TAIL(x) (x+strlen(x)) > > > > Done, fixed patch attached: mendex-bugfix > > > > > In general, shouldn't snprintf be used to avoid the whole potential of > > > buffer overrun? > > > > Done that for fwrite.c, but there are other cases in the source. > > Patch for fwrite.c attached, on top of the prvious: mendex-snprintf > > > > If anyone can comment on that (review) that would be great, especially > > the definition of > > TAIL_LEN(x) > > (returning two argumetns, the pointer and the remaining length, for > > the first two arguments of snprintf). > > > > Thanks > > > > Norbert > > > > > > PREINING, Norbert http://www.preining.info > > JAIST, Japan TeX Live & Debian Developer > > DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 > > > #include #include #include #define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) #define BUFFERLEN 25 int snprintfcat(char *str, size_t size, const char *format, ...) { int n, len; va_list ap; len = strlen(str); if (len >= size) return -1; printf("size-len=%d\n", size-len); va_start(ap, format); n = vsnprintf(str+len, size-len, format, ap); va_end(ap); return n; } int main() { char dummy1[25]; char buff[25]; char dummy2[25]; printf("TAIL_LEN\n"); snprintf(buff, sizeof(buff), "%s", "1234567890"); puts(buff); snprintf(TAIL_LEN(buff), "%s", "1234567890"); puts(buff); snprintf(TAIL_LEN(buff), "%s", "1234567890"); puts(buff); snprintf(TAIL_LEN(buff), "%s", "1234567890"); puts(buff); printf("\nsnprintfcat\n"); snprintf(buff, sizeof(buff), "%s", "1234567890"); puts(buff); snprintfcat(buff, sizeof(buff), "%s", "1234567890"); puts(buff); snprintfcat(buff, sizeof(buff), "%s", "1234567890"); puts(buff); snprintfcat(buff, sizeof(buff), "%s", "1234567890"); puts(buff); return 0; }
Bug#534641: mendex bug
Hi Norbert, hi all, -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) It was my fault. Thank you for correcting. +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) Nice idea. I'm not sure but I'm wandering if snprintf() can handle negative (minus) length or not. int snprintf(char *str, size_t size, const char *format, ...); 'size_t' should be unsigned? Regards, Nobuyuki Tsuchimura From: Norbert Preining Subject: [ptex:00356] Re: mendex bug Date: Sun, 8 Sep 2013 10:59:19 +0900 Message-ID: <20130908015919.ga20...@gamma.logic.tuwien.ac.at> > Hi Karl, hi all, > > On Sa, 07 Sep 2013, Karl Berry wrote: > > #define TAIL(x) (x+strlen(x)) > > Done, fixed patch attached: mendex-bugfix > > > In general, shouldn't snprintf be used to avoid the whole potential of > > buffer overrun? > > Done that for fwrite.c, but there are other cases in the source. > Patch for fwrite.c attached, on top of the prvious: mendex-snprintf > > If anyone can comment on that (review) that would be great, especially > the definition of > TAIL_LEN(x) > (returning two argumetns, the pointer and the remaining length, for > the first two arguments of snprintf). > > Thanks > > Norbert > > > PREINING, Norbert http://www.preining.info > JAIST, Japan TeX Live & Debian Developer > DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Hi Karl, hi all, On Sa, 07 Sep 2013, Karl Berry wrote: > #define TAIL(x) (x+strlen(x)) Done, fixed patch attached: mendex-bugfix > In general, shouldn't snprintf be used to avoid the whole potential of > buffer overrun? Done that for fwrite.c, but there are other cases in the source. Patch for fwrite.c attached, on top of the prvious: mendex-snprintf If anyone can comment on that (review) that would be great, especially the definition of TAIL_LEN(x) (returning two argumetns, the pointer and the remaining length, for the first two arguments of snprintf). Thanks Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live & Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 fix a bug in mendex when range ops and macros are used (Closes: #534641) --- texk/mendexk/ChangeLog |9 + texk/mendexk/fwrite.c |5 ++--- 2 files changed, 11 insertions(+), 3 deletions(-) --- texlive-bin.orig/texk/mendexk/ChangeLog +++ texlive-bin/texk/mendexk/ChangeLog @@ -1,3 +1,12 @@ +2013-09-08 Norbert Preining + + * fwrite.c: properly parenthesis TAIL macro + +2013-09-07 Norbert Preining + + * fwrite.c: fix missing output when range operators are + used with macro definitions + 2012-11-19 Peter Breitenlohner * Makefile.am: Avoid use of deprecated INCLUDES. --- texlive-bin.orig/texk/mendexk/fwrite.c +++ texlive-bin/texk/mendexk/fwrite.c @@ -15,7 +15,7 @@ static void linecheck(char *lbuff, char *tmpbuff); static void crcheck(char *lbuff, FILE *fp); -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) /* if we don't have vsnprintf() */ /* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */ @@ -384,8 +384,7 @@ ind.p[j].enc++; } if (strlen(ind.p[j].enc)>0) { - sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); - sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n); + sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } } --- texk/mendexk/ChangeLog |1 texk/mendexk/fwrite.c | 103 + 2 files changed, 54 insertions(+), 50 deletions(-) --- texlive-bin.orig/texk/mendexk/ChangeLog +++ texlive-bin/texk/mendexk/ChangeLog @@ -1,6 +1,7 @@ 2013-09-08 Norbert Preining * fwrite.c: properly parenthesis TAIL macro + * fwrite.c: replace sprintf with snprintf 2013-09-07 Norbert Preining --- texlive-bin.orig/texk/mendexk/fwrite.c +++ texlive-bin/texk/mendexk/fwrite.c @@ -10,12 +10,15 @@ int line_length=0; +#define BUFFERLEN 4096 + static void printpage(struct index *ind, FILE *fp, int num, char *lbuff); static int range_check(struct index ind, int count, char *lbuff); static void linecheck(char *lbuff, char *tmpbuff); static void crcheck(char *lbuff, FILE *fp); #define TAIL(x) ((x)+strlen(x)) +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) /* if we don't have vsnprintf() */ /* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */ @@ -67,7 +70,7 @@ void indwrite(char *filename, struct index *ind, int pagenum) { int i,j,hpoint=0; - char datama[256],lbuff[4096]; + char datama[256],lbuff[BUFFERLEN]; FILE *fp; if (filename[0]!='\0' && kpse_out_name_ok(filename)) fp=fopen(filename,"wb"); @@ -99,7 +102,7 @@ fprintf(fp,"%s%s%s",lethead_prefix,symhead_negative,lethead_suffix); } } - sprintf(lbuff,"%s%s",item_0,ind[i].idx[0]); + snprintf(lbuff, BUFFERLEN, "%s%s",item_0,ind[i].idx[0]); } else if (alphabet(ind[i].dic[0][0])) { if (lethead_flag>0) { @@ -108,7 +111,7 @@ else if (lethead_flag<0) { fprintf(fp,"%s%c%s",lethead_prefix,ind[i].dic[0][0]+32,lethead_suffix); } - sprintf(lbuff,"%s%s",item_0,ind[i].idx[0]); + snprintf(lbuff, BUFFERLEN, "%s%s",item_0,ind[i].idx[0]); } else
Bug#534641: mendex bug
On Sa, 07 Sep 2013, Karl Berry wrote: > As you know, it was part of the general Japanese-TeX import into TL, so > I suppose you and Akira are :), with the rest of us chipping in as > necessary. > > Please apply whatever patch you see fit. Ok, will do that. > #define TAIL(x) (x+strlen(x)) > > The first x on the RHS should be parenthesized, as a matter of general > programming practice: > ((x)+strlen(x)) Ok, wil ldo that, too. > > > sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); > > In general, shouldn't snprintf be used to avoid the whole potential of > buffer overrun? I will take a look at it and see if I can get rid of some of those. Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live & Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
I am not sure who is currently maintaining mendex, As you know, it was part of the general Japanese-TeX import into TL, so I suppose you and Akira are :), with the rest of us chipping in as necessary. Please apply whatever patch you see fit. #define TAIL(x) (x+strlen(x)) The first x on the RHS should be parenthesized, as a matter of general programming practice: ((x)+strlen(x)) > sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? karl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Dear all, I hope there is still someone listening. Since quite some time there is a bug in mendex. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534641 Easy to reproduce: With the following idx file: \indexentry{foo|(}{1} \indexentry{foo|mac}{1} \indexentry{foo|)}{1} mendex produces ... \item foo, 1}, 1 ... instead of ... \item foo, \mac{1}, 1 ... I looked through the current sources in TeX Live and found that in fwrite.c, function range_check: if (strlen(ind.p[j].enc)>0) { sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } that looks suspicious. The tmpbuff is overwritten on the second incantation, and in fact the encap_prefix(which is \) ind.p[j].enc(which is the macro name) encap_infix (which is {) are missing from the output. So my guess is that the correct version would be to have sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); instead. And indeed, with that change the output is as expected. Checking the differences I see that the *reverse change* was introduced between 2.6c and 2.6d. So till 2.6c the above line was there. I am not sure who is currently maintaining mendex, but I would suggest to fix it as lined out above.I attach a patch against current TeX Live sources (as far as I see). Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live & Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 diff --git a/texk/mendexk/ChangeLog b/texk/mendexk/ChangeLog index fe87113..571bc64 100644 --- a/texk/mendexk/ChangeLog +++ b/texk/mendexk/ChangeLog @@ -1,3 +1,8 @@ +2013-09-07 Norbert Preining + + * fwrite.c: fix missing output when range operators are + used with macro definitions + 2012-11-19 Peter Breitenlohner * Makefile.am: Avoid use of deprecated INCLUDES. diff --git a/texk/mendexk/fwrite.c b/texk/mendexk/fwrite.c index 8c18782..bc5a0ec 100644 --- a/texk/mendexk/fwrite.c +++ b/texk/mendexk/fwrite.c @@ -384,8 +384,7 @@ static int range_check(struct index ind, int count, char *lbuff) ind.p[j].enc++; } if (strlen(ind.p[j].enc)>0) { - sprintf(tmpbuff,"%s%s%s",encap_prefix,ind.p[j].enc,encap_infix); - sprintf(tmpbuff,"%s%s%s",ind.p[j].page,encap_suffix,delim_n); + sprintf(tmpbuff,"%s%s%s%s%s%s",encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } }