Package: unhtml Version: 2.3.9 Tags: patch Too few bytes are allocated; check is for if (i>tag_size-1) but on EOF a NULL is also written.
I also took the opportunity to remove an unnecessary and probably not useful re-allocation. --- unhtml-2.3.9/unhtml.c 2009-06-26 16:20:07.000000000 -0700 +++ /tmp/unhtml-2.3.9/unhtml.c 2009-06-26 16:20:52.000000000 -0700 @@ -130,30 +130,16 @@ m_putchar(tag[j]); } - if (tag_size > MAX_TAG_SIZE) { - free(tag); - tag_size = MAX_TAG_SIZE; - tag = (char *)malloc(tag_size); - if (!tag) { - fprintf (stderr, "Cannot malloc tag space (%d bytes).\n", tag_size); - return 1; - } - } - break; } - if (i > (tag_size - 1)) { - while (tag_size < i) - tag_size *= 2; - tmp = (char *)malloc(tag_size); + if (i >= tag_size-1) { + tag_size <<= 1; + tmp = realloc(tag, tag_size); if (!tmp) { fprintf (stderr, "Cannot malloc tag space (%d bytes).\n", tag_size); return 1; } - memset(tmp, 0, tag_size); - memcpy(tmp, tag, i); - free(tag); tag = tmp; } @@ -225,17 +211,13 @@ tag[i] = ch; i++; - if (i > (tag_size - 1)) { - while (tag_size < i) - tag_size *= 2; - tmp = (char *)malloc(tag_size); + if (i >= tag_size-1) { + tag_size <<= 1; + tmp=realloc(tag, tag_size); if (!tmp) { fprintf (stderr, "Cannot malloc tag space (%d bytes).\n", tag_size); return 1; } - memset(tmp, 0, tag_size); - memcpy(tmp, tag, i); - free(tag); tag = tmp; } -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org