Bug#534641: mendex bug
Hi Norbert, hi all, -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) It was my fault. Thank you for correcting. +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) Nice idea. I'm not sure but I'm wandering if snprintf() can handle negative (minus) length or not. int snprintf(char *str, size_t size, const char *format, ...); 'size_t' should be unsigned? Regards, Nobuyuki Tsuchimura From: Norbert Preining prein...@logic.at Subject: [ptex:00356] Re: mendex bug Date: Sun, 8 Sep 2013 10:59:19 +0900 Message-ID: 20130908015919.ga20...@gamma.logic.tuwien.ac.at Hi Karl, hi all, On Sa, 07 Sep 2013, Karl Berry wrote: #define TAIL(x) (x+strlen(x)) Done, fixed patch attached: mendex-bugfix In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? Done that for fwrite.c, but there are other cases in the source. Patch for fwrite.c attached, on top of the prvious: mendex-snprintf If anyone can comment on that (review) that would be great, especially the definition of TAIL_LEN(x) (returning two argumetns, the pointer and the remaining length, for the first two arguments of snprintf). Thanks Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Hi Norbert, hi all, +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) OK, I recognize 'BUFFERLEN-strlen(x)' is always plus. Even when buffer is full, strlen(x) become BUFFERLEN-1, because buffer includes '\0'. Sorry. Please forget my previous mail. I'll attach my test source. -- Thank you, Nobuyuki Tsuchimura From: TSUCHIMURA Nobuyuki tutim...@nn.iij4u.or.jp Subject: [ptex:00357] Re: mendex bug Date: Sun, 8 Sep 2013 16:15:58 +0900 Message-ID: 20130908161558k.tutim...@nn.iij4u.or.jp Hi Norbert, hi all, -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) It was my fault. Thank you for correcting. +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) Nice idea. I'm not sure but I'm wandering if snprintf() can handle negative (minus) length or not. int snprintf(char *str, size_t size, const char *format, ...); 'size_t' should be unsigned? Regards, Nobuyuki Tsuchimura From: Norbert Preining prein...@logic.at Subject: [ptex:00356] Re: mendex bug Date: Sun, 8 Sep 2013 10:59:19 +0900 Message-ID: 20130908015919.ga20...@gamma.logic.tuwien.ac.at Hi Karl, hi all, On Sa, 07 Sep 2013, Karl Berry wrote: #define TAIL(x) (x+strlen(x)) Done, fixed patch attached: mendex-bugfix In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? Done that for fwrite.c, but there are other cases in the source. Patch for fwrite.c attached, on top of the prvious: mendex-snprintf If anyone can comment on that (review) that would be great, especially the definition of TAIL_LEN(x) (returning two argumetns, the pointer and the remaining length, for the first two arguments of snprintf). Thanks Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 #include stdio.h #include string.h #include stdarg.h #define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) #define BUFFERLEN 25 int snprintfcat(char *str, size_t size, const char *format, ...) { int n, len; va_list ap; len = strlen(str); if (len = size) return -1; printf(size-len=%d\n, size-len); va_start(ap, format); n = vsnprintf(str+len, size-len, format, ap); va_end(ap); return n; } int main() { char dummy1[25]; char buff[25]; char dummy2[25]; printf(TAIL_LEN\n); snprintf(buff, sizeof(buff), %s, 1234567890); puts(buff); snprintf(TAIL_LEN(buff), %s, 1234567890); puts(buff); snprintf(TAIL_LEN(buff), %s, 1234567890); puts(buff); snprintf(TAIL_LEN(buff), %s, 1234567890); puts(buff); printf(\nsnprintfcat\n); snprintf(buff, sizeof(buff), %s, 1234567890); puts(buff); snprintfcat(buff, sizeof(buff), %s, 1234567890); puts(buff); snprintfcat(buff, sizeof(buff), %s, 1234567890); puts(buff); snprintfcat(buff, sizeof(buff), %s, 1234567890); puts(buff); return 0; }
Bug#534641: mendex bug
Dear all, I hope there is still someone listening. Since quite some time there is a bug in mendex. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534641 Easy to reproduce: With the following idx file: \indexentry{foo|(}{1} \indexentry{foo|mac}{1} \indexentry{foo|)}{1} mendex produces ... \item foo, 1}, 1 ... instead of ... \item foo, \mac{1}, 1 ... I looked through the current sources in TeX Live and found that in fwrite.c, function range_check: if (strlen(ind.p[j].enc)0) { sprintf(tmpbuff,%s%s%s,encap_prefix,ind.p[j].enc,encap_infix); sprintf(tmpbuff,%s%s%s,ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } that looks suspicious. The tmpbuff is overwritten on the second incantation, and in fact the encap_prefix(which is \) ind.p[j].enc(which is the macro name) encap_infix (which is {) are missing from the output. So my guess is that the correct version would be to have sprintf(tmpbuff,%s%s%s%s%s%s,encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); instead. And indeed, with that change the output is as expected. Checking the differences I see that the *reverse change* was introduced between 2.6c and 2.6d. So till 2.6c the above line was there. I am not sure who is currently maintaining mendex, but I would suggest to fix it as lined out above.I attach a patch against current TeX Live sources (as far as I see). Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 diff --git a/texk/mendexk/ChangeLog b/texk/mendexk/ChangeLog index fe87113..571bc64 100644 --- a/texk/mendexk/ChangeLog +++ b/texk/mendexk/ChangeLog @@ -1,3 +1,8 @@ +2013-09-07 Norbert Preining prein...@logic.at + + * fwrite.c: fix missing output when range operators are + used with macro definitions + 2012-11-19 Peter Breitenlohner p...@mppmu.mpg.de * Makefile.am: Avoid use of deprecated INCLUDES. diff --git a/texk/mendexk/fwrite.c b/texk/mendexk/fwrite.c index 8c18782..bc5a0ec 100644 --- a/texk/mendexk/fwrite.c +++ b/texk/mendexk/fwrite.c @@ -384,8 +384,7 @@ static int range_check(struct index ind, int count, char *lbuff) ind.p[j].enc++; } if (strlen(ind.p[j].enc)0) { - sprintf(tmpbuff,%s%s%s,encap_prefix,ind.p[j].enc,encap_infix); - sprintf(tmpbuff,%s%s%s,ind.p[j].page,encap_suffix,delim_n); + sprintf(tmpbuff,%s%s%s%s%s%s,encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } }
Bug#534641: mendex bug
I am not sure who is currently maintaining mendex, As you know, it was part of the general Japanese-TeX import into TL, so I suppose you and Akira are :), with the rest of us chipping in as necessary. Please apply whatever patch you see fit. #define TAIL(x) (x+strlen(x)) The first x on the RHS should be parenthesized, as a matter of general programming practice: ((x)+strlen(x)) sprintf(tmpbuff,%s%s%s,encap_prefix,ind.p[j].enc,encap_infix); In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? karl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
On Sa, 07 Sep 2013, Karl Berry wrote: As you know, it was part of the general Japanese-TeX import into TL, so I suppose you and Akira are :), with the rest of us chipping in as necessary. Please apply whatever patch you see fit. Ok, will do that. #define TAIL(x) (x+strlen(x)) The first x on the RHS should be parenthesized, as a matter of general programming practice: ((x)+strlen(x)) Ok, wil ldo that, too. sprintf(tmpbuff,%s%s%s,encap_prefix,ind.p[j].enc,encap_infix); In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? I will take a look at it and see if I can get rid of some of those. Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#534641: mendex bug
Hi Karl, hi all, On Sa, 07 Sep 2013, Karl Berry wrote: #define TAIL(x) (x+strlen(x)) Done, fixed patch attached: mendex-bugfix In general, shouldn't snprintf be used to avoid the whole potential of buffer overrun? Done that for fwrite.c, but there are other cases in the source. Patch for fwrite.c attached, on top of the prvious: mendex-snprintf If anyone can comment on that (review) that would be great, especially the definition of TAIL_LEN(x) (returning two argumetns, the pointer and the remaining length, for the first two arguments of snprintf). Thanks Norbert PREINING, Norbert http://www.preining.info JAIST, Japan TeX Live Debian Developer DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 fix a bug in mendex when range ops and macros are used (Closes: #534641) --- texk/mendexk/ChangeLog |9 + texk/mendexk/fwrite.c |5 ++--- 2 files changed, 11 insertions(+), 3 deletions(-) --- texlive-bin.orig/texk/mendexk/ChangeLog +++ texlive-bin/texk/mendexk/ChangeLog @@ -1,3 +1,12 @@ +2013-09-08 Norbert Preining prein...@logic.at + + * fwrite.c: properly parenthesis TAIL macro + +2013-09-07 Norbert Preining prein...@logic.at + + * fwrite.c: fix missing output when range operators are + used with macro definitions + 2012-11-19 Peter Breitenlohner p...@mppmu.mpg.de * Makefile.am: Avoid use of deprecated INCLUDES. --- texlive-bin.orig/texk/mendexk/fwrite.c +++ texlive-bin/texk/mendexk/fwrite.c @@ -15,7 +15,7 @@ static void linecheck(char *lbuff, char *tmpbuff); static void crcheck(char *lbuff, FILE *fp); -#define TAIL(x) (x+strlen(x)) +#define TAIL(x) ((x)+strlen(x)) /* if we don't have vsnprintf() */ /* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */ @@ -384,8 +384,7 @@ ind.p[j].enc++; } if (strlen(ind.p[j].enc)0) { - sprintf(tmpbuff,%s%s%s,encap_prefix,ind.p[j].enc,encap_infix); - sprintf(tmpbuff,%s%s%s,ind.p[j].page,encap_suffix,delim_n); + sprintf(tmpbuff,%s%s%s%s%s%s,encap_prefix,ind.p[j].enc,encap_infix,ind.p[j].page,encap_suffix,delim_n); linecheck(lbuff,tmpbuff); } } --- texk/mendexk/ChangeLog |1 texk/mendexk/fwrite.c | 103 + 2 files changed, 54 insertions(+), 50 deletions(-) --- texlive-bin.orig/texk/mendexk/ChangeLog +++ texlive-bin/texk/mendexk/ChangeLog @@ -1,6 +1,7 @@ 2013-09-08 Norbert Preining prein...@logic.at * fwrite.c: properly parenthesis TAIL macro + * fwrite.c: replace sprintf with snprintf 2013-09-07 Norbert Preining prein...@logic.at --- texlive-bin.orig/texk/mendexk/fwrite.c +++ texlive-bin/texk/mendexk/fwrite.c @@ -10,12 +10,15 @@ int line_length=0; +#define BUFFERLEN 4096 + static void printpage(struct index *ind, FILE *fp, int num, char *lbuff); static int range_check(struct index ind, int count, char *lbuff); static void linecheck(char *lbuff, char *tmpbuff); static void crcheck(char *lbuff, FILE *fp); #define TAIL(x) ((x)+strlen(x)) +#define TAIL_LEN(x) ((x)+strlen(x)), (BUFFERLEN-strlen(x)) /* if we don't have vsnprintf() */ /* #define vsnprintf(buff,len,format,argptr) vsprintf(buff,format,argptr) */ @@ -67,7 +70,7 @@ void indwrite(char *filename, struct index *ind, int pagenum) { int i,j,hpoint=0; - char datama[256],lbuff[4096]; + char datama[256],lbuff[BUFFERLEN]; FILE *fp; if (filename[0]!='\0' kpse_out_name_ok(filename)) fp=fopen(filename,wb); @@ -99,7 +102,7 @@ fprintf(fp,%s%s%s,lethead_prefix,symhead_negative,lethead_suffix); } } - sprintf(lbuff,%s%s,item_0,ind[i].idx[0]); + snprintf(lbuff, BUFFERLEN, %s%s,item_0,ind[i].idx[0]); } else if (alphabet(ind[i].dic[0][0])) { if (lethead_flag0) { @@ -108,7 +111,7 @@ else if (lethead_flag0) { fprintf(fp,%s%c%s,lethead_prefix,ind[i].dic[0][0]+32,lethead_suffix); } - sprintf(lbuff,%s%s,item_0,ind[i].idx[0]); + snprintf(lbuff, BUFFERLEN,