Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=456892 --- Comment #13 from Michael Schwendt <bugs.michael@xxxxxxx> 2008-11-22 08:29:26 EDT --- > these are not blocking issues These are format string buffer overflows and ought to get fixed. Run-time parameters (url, host, range) can cause a crash. Do a "grep GETREQ *" in the source tree and notice that during allocation of the buffer, the size is reduced by 2: Aget.c: fmt = (char *)calloc(GETREQSIZ - 2, sizeof(char)); The snprintf size, however, is not reduced by 2: Aget.c: snprintf(fmt, GETREQSIZ, GETREQ, req->url, req->host, PROGVERSION, soffset); Defs.h: GETREQSIZ = 256, Defs.h:#define GETREQ "GET %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nRange: bytes=%ld-\r\nConnection: close\r\n\r\n" -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review