texlive/source-CVE-2023-46048.patch

---
 texk/dvipsk/writet1.c               |   15 ++++++++++++---
 texk/web2c/luatexdir/font/writet1.c |   15 ++++++++++++---
 texk/web2c/pdftexdir/writet1.c      |   15 ++++++++++++---
 3 files changed, 36 insertions(+), 9 deletions(-)

--- texk/dvipsk/writet1.c
+++ texk/dvipsk/writet1.c	2024-04-02 00:00:00.000000000 +0000
@@ -769,7 +769,10 @@ static char **t1_builtin_enc(void)
                 *t1_buf_array == '/' && valid_code(i)) {
                 if (strcmp(t1_buf_array + 1, notdef) != 0)
                     glyph_names[i] = xstrdup(t1_buf_array + 1);
-                p = strstr(p, " put") + strlen(" put");
+                p = strstr(p, " put");
+                if (!p)
+                    pdftex_fail("invalid pfb, no put found in dup");
+                p += strlen(" put");
                 skip(p, ' ');
             }
             /*
@@ -778,7 +781,10 @@ static char **t1_builtin_enc(void)
             else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2
                      && valid_code(a) && valid_code(b)) {
                 copy_glyph_names(glyph_names, a, b);
-                p = strstr(p, " get put") + strlen(" get put");
+                p = strstr(p, " get put");
+                if (!p)
+                    pdftex_fail("invalid pfb, no get put found in dup dup");
+                p += strlen(" get put");
                 skip(p, ' ');
             }
             /*
@@ -789,7 +795,10 @@ static char **t1_builtin_enc(void)
                      && valid_code(a) && valid_code(b) && valid_code(c)) {
                 for (i = 0; i < c; i++)
                     copy_glyph_names(glyph_names, a + i, b + i);
-                p = strstr(p, " putinterval") + strlen(" putinterval");
+                p = strstr(p, " putinterval");
+                if (!p)
+                   pdftex_fail("invalid pfb, no putinterval found in dup dup");
+                p += strlen(" putinterval");
                 skip(p, ' ');
             }
             /*
--- texk/web2c/luatexdir/font/writet1.c
+++ texk/web2c/luatexdir/font/writet1.c	2024-04-02 12:52:03.939492105 +0000
@@ -814,13 +814,19 @@ static char **t1_builtin_enc(void)
                 *t1_buf_array == '/' && valid_code(i)) {
                 if (strcmp(t1_buf_array + 1, notdef) != 0)
                     glyph_names[i] = xstrdup(t1_buf_array + 1);
-                p = strstr(p, " put") + strlen(" put");
+                p = strstr(p, " put");
+                if (!p)
+                    formatted_error("type 1","invalid pfb, no put found in dup");
+                p += strlen(" put");
                 skip_char(p, ' ');
             }
             /*tex Check for |dup dup <to> exch <from> get put|. */
             else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2 && valid_code(a) && valid_code(b)) {
                 copy_glyph_names(glyph_names, a, b);
-                p = strstr(p, " get put") + strlen(" get put");
+                p = strstr(p, " get put");
+                if (!p)
+                    formatted_error("type 1","invalid pfb, no get put found in dup dupp");
+                p += strlen(" get put");
                 skip_char(p, ' ');
             }
             /*tex Check for |dup dup <from> <size> getinterval <to> exch putinterval|. */
@@ -828,7 +834,10 @@ static char **t1_builtin_enc(void)
                     &a, &c, &b) == 3 && valid_code(a) && valid_code(b) && valid_code(c)) {
                 for (i = 0; i < c; i++)
                     copy_glyph_names(glyph_names, a + i, b + i);
-                p = strstr(p, " putinterval") + strlen(" putinterval");
+                p = strstr(p, " putinterval");
+                if (!p)
+                    formatted_error("type 1","invalid pfb, no putinterval found in dup dup");
+                p += strlen(" putinterval");
                 skip_char(p, ' ');
             }
             /*tex Check for |def or |readonly def|. */
--- texk/web2c/pdftexdir/writet1.c
+++ texk/web2c/pdftexdir/writet1.c	2024-04-02 00:00:00.000000000 +0000
@@ -841,7 +841,10 @@ static char **t1_builtin_enc(void)
                 *t1_buf_array == '/' && valid_code(i)) {
                 if (strcmp(t1_buf_array + 1, notdef) != 0)
                     glyph_names[i] = xstrdup(t1_buf_array + 1);
-                p = strstr(p, " put") + strlen(" put");
+                p = strstr(p, " put");
+                if (!p)
+                    pdftex_fail("invalid pfb, no put found in dup");
+                p += strlen(" put");
                 skip(p, ' ');
             }
             /*
@@ -850,7 +853,10 @@ static char **t1_builtin_enc(void)
             else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2
                      && valid_code(a) && valid_code(b)) {
                 copy_glyph_names(glyph_names, a, b);
-                p = strstr(p, " get put") + strlen(" get put");
+                p = strstr(p, " get put");
+                if (!p)
+                    pdftex_fail("invalid pfb, no get put found in dup dup");
+                p += strlen(" get put");
                 skip(p, ' ');
             }
             /*
@@ -861,7 +867,10 @@ static char **t1_builtin_enc(void)
                      && valid_code(a) && valid_code(b) && valid_code(c)) {
                 for (i = 0; i < c; i++)
                     copy_glyph_names(glyph_names, a + i, b + i);
-                p = strstr(p, " putinterval") + strlen(" putinterval");
+                p = strstr(p, " putinterval");
+                if (!p)
+                   pdftex_fail("invalid pfb, no putinterval found in dup dup");
+                p += strlen(" putinterval");
                 skip(p, ' ');
             }
             /*