[tex-k] [TeX-Live/texlive-source] add a conditional statement to avoid fread size too big to coredump (PR #63)

Karl Berry karl at freefriends.org
Wed Jan 17 17:15:36 CET 2024

    >   https://github.com/TeX-Live/texlive-source/pull/63

Thanks for the patch. Why not calloc numGlyphs[+1] instead of size in
the first place? It looks like that was the original error, going by the
comments. (I know nothing much first-hand about ttf format.)

Your patch would not overflow the array, but it would also leave the
file pointer in the middle of the Width table, wouldn't it?

I'm also puzzled by reading hdmx->numGlyphs+1 bytes instead of
hdmx->numGlyphs, if the length of the width array is actually numGlyphs
as comment in tables.h says. Is there really numGlyphs+1 widths because
there's a trailing zero, or something?

Do you have a font that triggers the bug? (To confirm any fix.)


diff --git a/texk/ttfdump/libttf/hdmx.c b/texk/ttfdump/libttf/hdmx.c
index d91b98eb1b..a0ee60ca59 100644
--- a/texk/ttfdump/libttf/hdmx.c
+++ b/texk/ttfdump/libttf/hdmx.c
@@ -44,7 +44,11 @@ static void ttfLoadHDMX (FILE *fp,HDMXPtr hdmx,ULONG offset)
 	    hdmx->Records[i].PixelSize = ttfGetBYTE(fp);
 	    hdmx->Records[i].MaxWidth = ttfGetBYTE(fp);
 	    hdmx->Records[i].Width = XCALLOC (hdmx->size, BYTE);
-	    fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp);
+	    //if hdmx->numGlyphs+1 > hdmx->size,it will coredump,so we read min(hdmx->numGlyphs+1,hdmx->size) and truncate the remainder.
+	    if (hdmx->numGlyphs+1 <= hdmx->size)
+	    	fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->numGlyphs+1,fp);
+	    else
+		fread ((hdmx->Records+i)->Width, sizeof(BYTE), hdmx->size,fp);

More information about the tex-k mailing list.