From owner-freebsd-bugs  Wed Nov 13 15: 0: 8 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 967C237B401
	for <freebsd-bugs@hub.freebsd.org>; Wed, 13 Nov 2002 15:00:07 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 425A943E3B
	for <freebsd-bugs@hub.freebsd.org>; Wed, 13 Nov 2002 15:00:07 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gADN06x3019033
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 13 Nov 2002 15:00:06 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gADN06He019032;
	Wed, 13 Nov 2002 15:00:06 -0800 (PST)
Date: Wed, 13 Nov 2002 15:00:06 -0800 (PST)
Message-Id: <200211132300.gADN06He019032@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: dave <daveb@optusnet.com.au>
Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
Reply-To: dave <daveb@optusnet.com.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR gnu/45168; it has been noted by GNATS.

From: dave <daveb@optusnet.com.au>
To: freebsd-gnats-submit@FreeBSD.org, saturnero@freesbie.org
Cc:  
Subject: Re: gnu/45168: Buffer overflow in /usr/bin/dialog
Date: Thu, 14 Nov 2002 09:58:18 +1100

 The result from a checklist is stored in the result variable, with a
 maximum length of MAX_LEN, which is defined in /usr/include/dialog.h
 or /usr/src/gnu/lib/libdialog/dialog.h as 2048. Your checklist's
 output is breaching this limit.
 
 Could the result variable perhaps be dynamically allocated to hold as
 much as argv does? I'm not too familiar with dialog, but does it ever
 output more than it receives as input?
 
 --
 Dave
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message