[tex-live] extractbb can not read the pdf file generated by mutool

Karl Berry karl at freefriends.org
Fri Jan 8 01:01:36 CET 2016


All programs we distribute should be robust against bad input files,
including stray nulls and other such things.  This doesn't necessarily
mean rejecting all possible bad input, but it does mean they shouldn't
crash.  A crash means it is a potential (though unlikely) attack vector
for bad guys.

I don't think this necessarily means never using scanf.  It does mean
avoiding anything where the input can be overrun, such as gets() (just
the common example, I know that is not being used here; I don't know
about mfgets).

This is not extractbb/dvipdfmx-specific.

Does that help/clarify/make sense?

k


More information about the tex-live mailing list