[metapost] Handle truncation in mpx_cleandir

Richard Copley rcopley at gmail.com
Thu Aug 12 11:47:57 CEST 2021

On 64-bit Windows systems, when MetaPost calls mpx_cleandir to delete
temporary auxiliary files (e.g., from running TeX to format a label),
it segfaults in RtlEnterCriticalSection.

This affected, for example, the 64-bit binaries built by the MSYS2
project. (See <https://github.com/msys2/MINGW-packages/pull/9350>.)
It doesn't affect the 32-bit binaries shipped by the TexLive

See mpx_cleandir in "mpxout.w". hFile is declared as long. The handle
returned by _findfirst is stored there and truncated. Then it is
sign-extended and passed to _findnext. There is a segfault when it is
first dereferenced, which happens in RtlEnterCriticalSection.

This can be fixed by changing "long" to "intptr_t" in mpx_cleandir.

An example MetaPost program that leads to the crash:

  beginfig(0); label(btex $x$ etex, (0,0)); endfig; end;

To reliably reproduce the crash, place the program in a file in an
otherwise empty directory and run mpost.exe in that directory.

Warm regards,

More information about the metapost mailing list.