Hi, as discovered for OpenBSD's patch, GNU patch also suffers from integer overflows, which can lead to arbitrary memory access.
This file will trigger out of boundary memory access: $ cat a.diff --- a Sat Nov 15 00:25:29 2014 +++ b Sat Nov 15 00:06:50 2014 @@ -1,9223372036854775807 +1,9223372036854775807 @@ -a +b $ touch a $ patch a a.diff So what's wrong? Look at line 1666 in pch.c: p_max = p_ptrn_lines + p_repl_lines + 1; p_max will overflow to -1 due to our modified (and invalid) diff, therefore no memory will be allocated. -1 is definitely smaller than hunkmax. Later on, line 1671: filldst = fillsrc + p_ptrn_lines; We assign an invalid number into filldist, which gets referenced in line 1685: p_len[filldst] = strlen (buf); Therefore, we write data into a memory chunk that most likely does not belong to us. For this example, filldst would be -9223372036854775808. You can find my proposed diff for OpenBSD here: http://marc.info/?l=openbsd-tech&m=141693055412785&w=2 I know about the license issues that could step in: I am definitely fine if you take these changes and incooperate them into your GPL code. Otherwise... Take it as input for an own solution. ;) Tobias