Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow. #43

Closed
ascherer opened this issue Jul 16, 2023 · 4 comments
Closed

Buffer overflow. #43

ascherer opened this issue Jul 16, 2023 · 4 comments
Labels
bug

Comments

@ascherer
Copy link
Owner

ascherer commented Jul 16, 2023
edited
Loading

See https://tug.org/pipermail/tex-live/2023-July/049306.html for details. This affects CWEB and WEB alike.
@ascherer ascherer added the bug label Jul 16, 2023
@ascherer
Copy link
Owner Author

ascherer commented Jul 17, 2023
edited
Loading

Let's begin with a minimal working example out_buf-overflow.w that shows the differentiated behaviour:

% Overfull input lines in limbo:

% Plain TeX paragraph comment
% bbbbbb10 bbbbbbb20 bbbbbbb30 bbbbbbb40 bbbbbbb50 bbbbbbb60 bbbbbbb70 bbbbbbb80 bbbbbbb90 bbbbbb100 bbbbbb110 bbbbbb120 bbbbbb130 bbbbbb140 bbbbbb150 bbbbbb160

% Plain TeX block comment
%bbbbbbb10bbbbbbbb20bbbbbbbb30bbbbbbbb40bbbbbbbb50bbbbbbbb60bbbbbbbb70bbbbbbbb80bbbbbbbb90bbbbbbb100bbbbbbb110bbbbbbb120bbbbbbb130bbbbbbb140bbbbbbb150bbbbbbb160

% Escaped TeX macro block comment
%\bbbbbb10\bbbbbbb20\bbbbbbb30\bbbbbbb40\bbbbbbb50\bbbbbbb60\bbbbbbb70\bbbbbbb80\bbbbbbb90\bbbbbb100\bbbbbb110\bbbbbb120\bbbbbb130\bbbbbb140\bbbbbb150\bbbbbb160

% Escaped TeX block comment
%\bbbbbb10bbbbbbbb20bbbbbbbb30bbbbbbbb40bbbbbbbb50bbbbbbbb60bbbbbbbb70bbbbbbbb80bbbbbbbb90bbbbbbb100bbbbbbb110bbbbbbb120bbbbbbb130bbbbbbb140bbbbbbb150bbbbbbb160

Run this through

  • classic WEAVE: Incomplete output for input 1 to 3 (cut at 100 chars; you have been warned), clobbered output for input 4
  • TeX Live weave: Correct output for input 1 to 3, clobbered output for input 4
  • classic CWEAVE: Correct output for input 1 to 3, zsh trace trap on input 4
  • TeX Live cweave: Correct output for input 1 to 3, zsh trace trap on input 4

@ascherer
Copy link
Owner Author

ascherer commented Jul 17, 2023
edited
Loading

Then let's check

  • Long lines in TeX parts
  • Extremely_long_identifiers_from_malicious_hackers
  • Long "strings" (TANGLE and ctangle)
  • Long lines introduced via change file

@ascherer
Copy link
Owner Author

Fix is imminent:

diff --git a/weave.web b/weave.web
index 4981570..f808fa5 100644
--- a/weave.web
+++ b/weave.web
@@ -2245,7 +2245,8 @@ loop@+  begin if k=0 then
   if d=" " then
     begin flush_buffer(k,false,true); return;
     end;
-  if (d="\")and(out_buf[k-1]<>"\") then {in this case |k>1|}
+  if (d="\")and(out_buf[k-1]<>"\")and(out_buf[k-1]<>"%") then
+      {in this case |k>1|}
     begin flush_buffer(k-1,true,true); return;
     end;
   decr(k);

diff --git a/cweave.w b/cweave.w
index 61fdc0a..06dc87c 100644
--- a/cweave.w
+++ b/cweave.w
@@ -1456,7 +1456,7 @@ break_out(void) /* finds a way to break the output line */
     if (*k==' ') {
       flush_buffer(k,false,true); return;
     }
-    if (*(k--)=='\\' && *k!='\\') { /* we've decreased |k| */
+    if (*(k--)=='\\' && *k!='\\' && *k!='%') { /* we've decreased |k| */
       flush_buffer(k,true,true); return;
     }
   }

ascherer added a commit that referenced this issue Jul 17, 2023
@ascherer
Issue #43: Break extremely long macro.
b47e077
@ascherer
Copy link
Owner Author

ascherer commented Jul 18, 2023
edited
Loading

Extend the example input lines so that they are longer than buf_size (200). Then cweave reacts differently than weave. Check that input_ln (common.w) doesn't store more than buf_size characters.

@ascherer ascherer reopened this Jul 18, 2023
ascherer added a commit that referenced this issue Aug 19, 2023
@ascherer
CWEB - release 4.10, 2023-08-19.
6007f47 
Fixes:

* Fix issue #43: 'out_buf' overflow on malign user input
  - Handle border case from bug report
  - Discard rest of input lines exceeding 'buf_size' characters
  - Purge 'ungetc' from the TeX part as well
* Fix typo in 'examples/wordtest.w' (reported by DEK)
* 'Ilk' is of type 'eight_bits'
* Avoid over-/underflow of section depth with malicious user input

Internal changes:

* Unroll 'init_p' helper function in COMMON
  - it is used for CWEAVE only (and CTWILL downstream)
* Match 'common.w' and 'common.h'
  - Reshuffle declarations and some code sections
  - Add starred section titles
* Demote all starred sections in 'common.w' (single star)
* Code cleanup
  - Make 'pop_level' a simple macro in CWEAVE
  - Use structure assignment (as in CTANGLE)
  - More compact 'stack' handling
  - Make use of type 'mode'
  - Purge a few 'goto' statements (and add some others)
  - Replace some 'sprintf' with 'snprintf'
  - Syntactic sugar for functional macros
  - Straighten 'byte_start' arithmetic
  - Desolve former section 19 of CWEAVE with internal array sizes
  - Hide 'print_text' analytics function from C compiler with DEBUG
  - Streamline 'phase_two' of CTANGLE
  - Refurbish 'phase_three' of CWEAVE
* Insert blank line after '\ch' in TeX output (cf. CWEB 3.0)

Macro changes

* Cleanup some '\acro' macros in 'cwebmac.tex'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ascherer