Re: fmt(1) causes canary trap with malloc.conf -> C

Todd C. Miller Wed, 17 Oct 2018 09:49:39 -0700

The length check does not account for the NUL terminator.

 - todd


Index: usr.bin/fmt/fmt.c
===================================================================
RCS file: /cvs/src/usr.bin/fmt/fmt.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 fmt.c
--- usr.bin/fmt/fmt.c   20 Feb 2017 15:48:00 -0000      1.38
+++ usr.bin/fmt/fmt.c   17 Oct 2018 16:47:48 -0000
@@ -687,7 +687,7 @@ get_line(FILE *stream)
                if ((len == 0) && (ch == '.' && !format_troff))
                        troff = 1;
                if (troff || ch == '\t' || !iscntrl(ch)) {
-                       if (len >= length) {
+                       if (len >= length - 1) {
                                length *= 2;
                                buf = xrealloc(buf, length);
                        }

Re: fmt(1) causes canary trap with malloc.conf -> C

Reply via email to