On Wed, May 13, 2026 at 09:46:57PM -0400, Daniel Anderson wrote: > Good evening, > > I found a heap-buffer overflow in infocmp's safe_name(). > > `infocmp -x -E` can overflow a heap buffer when dumping a terminfo entry with > a long extended capability name. The bug is in > `progs/infocmp.c:safe_name()`: the function keeps a static pointer to a heap > buffer, allocates it only on the first call, sizes it from that first call's > arguments, and reuses it for later calls even when later names require more > space.
agreed - it ought to check the length and reallocate as needed. -- Thomas E. Dickey <[email protected]> https://invisible-island.net
signature.asc
Description: PGP signature
