You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A systematic review of tex.web (Version 3.141592653) identified 7 integer overflow vulnerabilities under the 32-bit Pascal semantics assumed by the WEB source. Most are currently masked on 64-bit web2c platforms but represent latent incorrectness. All patches use TeX's own overflow-safe primitives.
Bug
Section
Description
Fix
DZ1
S457
Magnification ratio overflow
xn_over_d
DZ2
S762
Delimiter factor overflow
xn_over_d
DZ4
S859
Demerits accumulation overflow
mult_and_add
DZ5
S890
Penalty accumulation overflow
mult_and_add
DZ6
S986, S1008-1010
Page insertion arithmetic overflow (5 sites)
xn_over_d
DZ7
S1005
Page cost overflow
mult_and_add
DZ8
S1236
\advance has no overflow protection
inline check
DZ8 is the only bug demonstrable on current 64-bit TeX Live:
\newcount\big\big=2000000000
\advance\big by 1000000000
\message{\the\big} % prints -1294967296 (silent wraparound)
After the patch, this correctly reports "Arithmetic overflow".
Note: DZ8 cannot use mult_and_add because mult_and_add's own overflow check (max_answer+y) itself overflows when max_answer = max_int. An inline check is used instead.
Companion issue
The hyphenation exception leak (DZ3) is filed separately as #82.
Trip test impact
Two categories of expected differences in trip.log:
DZ6 changes rounding order (divide-then-multiply to multiply-then-divide), producing slightly more accurate page goal and insertion-split values throughout.
tripin.log and trip.typ are identical. Full diffs are in the attached trip-test-diffs.txt.
Context
DZ1-DZ3 were reported to Professor Knuth by letter (March 2026) and to tex-k@tug.org. DZ4-DZ8 were found during the same review. The complete changefile patch was sent to the list for review in the thread "Three potential bugs in tex.web (Version 3.141592653)".
Summary
A systematic review of
tex.web(Version 3.141592653) identified 7 integer overflow vulnerabilities under the 32-bit Pascal semantics assumed by the WEB source. Most are currently masked on 64-bitweb2cplatforms but represent latent incorrectness. All patches use TeX's own overflow-safe primitives.xn_over_dxn_over_dmult_and_addmult_and_addxn_over_dmult_and_add\advancehas no overflow protectionDZ8 is the only bug demonstrable on current 64-bit TeX Live:
After the patch, this correctly reports "Arithmetic overflow".
Note: DZ8 cannot use
mult_and_addbecausemult_and_add's own overflow check (max_answer+y) itself overflows whenmax_answer = max_int. An inline check is used instead.Companion issue
The hyphenation exception leak (DZ3) is filed separately as #82.
Trip test impact
Two categories of expected differences in
trip.log:Memory usagereport.tripin.logandtrip.typare identical. Full diffs are in the attachedtrip-test-diffs.txt.Context
DZ1-DZ3 were reported to Professor Knuth by letter (March 2026) and to
tex-k@tug.org. DZ4-DZ8 were found during the same review. The complete changefile patch was sent to the list for review in the thread "Three potential bugs in tex.web (Version 3.141592653)".