From owner-freebsd-bugs Sat Apr 1 22:53: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id CA3AF37B7D5 for ; Sat, 1 Apr 2000 22:52:54 -0800 (PST) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id QAA26481; Sun, 2 Apr 2000 16:52:39 +1000 Date: Sun, 2 Apr 2000 16:52:21 +1000 (EST) From: Bruce Evans X-Sender: bde@alphplex.bde.org To: Anatoly Vorobey Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: bin/12242 : segmentation fault running /usr/bin/fmt In-Reply-To: <200004020510.VAA60362@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 1 Apr 2000, Anatoly Vorobey wrote: > > --- /usr/src/usr.bin/fmt/fmt.c.orig Tue Sep 30 15:42:05 1997 > > +++ /usr/src/usr.bin/fmt/fmt.c Sat Aug 7 22:40:31 1999 > > @@ -450,7 +450,8 @@ > > outbuf = realloc(outbuf, outbuf_size); > > if (outbuf == 0) > > abort(); > > - outp += outbuf-old_outbuf; > > + if (outp != NOSTR) > > + outp += outbuf-old_outbuf; > > This will work, but isn't standard C (outbuf-old_outbuf is not good). Perhaps > the following is better. Maybe someone could review/commit this? I've > verified this solves the problem. > > --- fmt.c.orig Sat Aug 28 01:01:18 1999 > +++ fmt.c Sun Apr 2 07:06:04 2000 > @@ -450,7 +450,8 @@ > outbuf = realloc(outbuf, outbuf_size); > if (outbuf == 0) > abort(); > - outp += outbuf-old_outbuf; > + if (outp != NOSTR) > + outp = outbuf + (outp - old_outbuf); > } Both old_outbuf and outp are invalid after outbuf has been realloc'ed. Just loading them may trap. The buffer offset should be computed _before_ the realloc. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message