[bug #64301] susceptible to integer overflow when built with -ftrapv

[G. Branden Robinson]

URL:
  <https://savannah.gnu.org/bugs/?64301>

                 Summary: susceptible to integer overflow when built with
-ftrapv
                   Group: GNU roff
               Submitter: gbranden
               Submitted: Tue 13 Jun 2023 09:52:33 PM UTC
                Category: Core
                Severity: 4 - Important
              Item Group: Crash/Unresponsive
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 13 Jun 2023 09:52:33 PM UTC By: G. Branden Robinson <gbranden>
If you build GNU troff with `-ftrapv`, you can construct input that will cause
a core dump.

Apply this patch to tmac/pdf.tmac:


diff --git a/tmac/pdf.tmac b/tmac/pdf.tmac
index 6a2fa7bba..fdf1da7af 100644
--- a/tmac/pdf.tmac
+++ b/tmac/pdf.tmac
@@ -36,7 +36,13 @@ am solely responsible for any bugs I may have introduced
into this file.
 .mso ps.tmac
 .
 .de pdf:SS
-.      fchar \\$1 \\S'16'\\$1\\S'0'
+.  ps
+.  nr pdf:prevps \\n[.ps]
+.  ps
+.  nr pdf:ps \\n[.ps]
+.  fchar \\$1 \s'\\n[pdf:ps]u*89u/100u'\S'16'\\$1\S'0'\s'\\n[pdf:prevps]u'
+.  ps \\n[pdf:prevps]
+.  ps \\n[pdf:ps]
 ..
 .pdf:SS \[+h]
 .pdf:SS \[ts]


(The above may have an error; that's not the point.)


$ cat EXPERIMENTS/oversized-greek.roff 
.sp
.EQ
f ( pi ) + 2 pi int sin ( omega t ) dt + e sup { i pi sup { rho + 1 } }
.EN
$ ./build/test-groff -e -Tpdf -z EXPERIMENTS/oversized-greek.roff
troff:.../../tmac/pdf.tmac:74: error: numeric overflow
troff: backtrace: '.../build/../tmac/pdf.tmac':45: macro 'pdf:SS'
troff: backtrace: file '.../build/../tmac/pdf.tmac':74
troff: backtrace: file '.../build/../tmac/troffrc':33
troff:.../build/../tmac/pdf.tmac:74: error: numeric overflow
.../build/groff: error: troff: Illegal instruction (core dumped)
[running gdb]
Core was generated by `troff -b -ww -Tpdf'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x0000562d89c7114e in get_number (res=res@entry=0x7fffd477c434,
si=si@entry=122 'z', prev_value=<optimized out>)
    at ../src/roff/troff/number.cpp:165
165         *res = prev_value + v;
##(gdb) list
160         return 0;
161       case ABSOLUTE:
162         *res = v;
163         break;
164       case INCREMENT:
165         *res = prev_value + v;
166         break;
167       case DECREMENT:
168         *res = prev_value - v;
169         break;


https://wiki.sei.cmu.edu/confluence/display/c/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow







    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?64301>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/