On Fri, Dec 08, 2017 at 09:45:57AM -0700, Todd C. Miller wrote: > It turns out that locate will *always* go past the end of the buffer > due to the missing length checks. Usually this is not a problem > as mmap returns page-sized buffers. But if the length of the buffer > is an even multiple of the page size it will dereference an address > outside the buffer and crash. In this case, the buffer in question > is 20885504 bytes long which is 5099 4K pages.
Ah that explains it. ok for the second diff
