[193] in Zephyr_Bugs
Re: zwrite core dump
daemon@ATHENA.MIT.EDU (John F Carr)
Fri Dec 14 10:47:35 1990
Date: Fri, 14 Dec 1990 10:47:20 -0500 (EST)
From: John F Carr <jfc@ATHENA.MIT.EDU>
To: testers@ATHENA.MIT.EDU, bug-zephyr@ATHENA.MIT.EDU
In-Reply-To: <9012141525.AA08145@Achates.MIT.EDU>
I found the bug. A realloc() call isn't leaving room for the null
character at the end of the message.
There are a lot of places in zwrite where the return value of realloc()
isn't checked (this patch doesn't fix those).
*** /tmp/,RCSt1008303 Fri Dec 14 10:45:04 1990
--- zwrite.c Fri Dec 14 10:43:28 1990
***************
*** 265,278 ****
} else {
if (isatty(0)) {
for (;;) {
if (!fgets(bfr, sizeof bfr, stdin))
break;
if (!nodot && bfr[0] == '.' &&
(bfr[1] == '\n' || bfr[1] == '\0'))
break;
! message = realloc(message, (unsigned)(msgsize+strlen(bfr)));
(void) strcpy(message+msgsize, bfr);
! msgsize += strlen(bfr);
}
message = realloc(message, (unsigned)(msgsize+1));
}
--- 265,280 ----
} else {
if (isatty(0)) {
for (;;) {
+ unsigned int l;
if (!fgets(bfr, sizeof bfr, stdin))
break;
if (!nodot && bfr[0] == '.' &&
(bfr[1] == '\n' || bfr[1] == '\0'))
break;
! l = strlen(bfr);
! message = realloc(message, msgsize+l+1);
(void) strcpy(message+msgsize, bfr);
! msgsize += l;
}
message = realloc(message, (unsigned)(msgsize+1));
}
