On Fri, Jul 19, 2013 at 11:35:01PM +0100, Dr. David Alan Gilbert wrote: > This is a fix for the bug I reported with 'more' crashing: > http://marc.info/?l=util-linux-ng&m=137401887913346&w=2 It seems that bug has been introduced 4 years ago by my commit 1ac300932deab8dea2c43050921bbbdb36d62ff1. The original code used static buffer Line[LINSIZ+2] -- yes, +2 for \n\0. I have applied the patch below. Please, test it (I'm not able to reproduce the problem with the file from Suse bugzilla). Thanks! Karel >From 1ef2db5a5672e09fa1337099b7d9d6ab61c19bdc Mon Sep 17 00:00:00 2001 From: Karel Zak <kzak@xxxxxxxxxx> Date: Thu, 1 Aug 2013 12:58:22 +0200 Subject: [PATCH] more: fix buffer overflow The bug has been probably introduced by commit 1ac300932deab8dea2c43050921bbbdb36d62ff1. Reported-by: "Dr. David Alan Gilbert" <dave@xxxxxxxxxxx> References: https://bugzilla.novell.com/show_bug.cgi?id=829720 Signed-off-by: Karel Zak <kzak@xxxxxxxxxx> --- text-utils/more.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/text-utils/more.c b/text-utils/more.c index 3bbeede..3377118 100644 --- a/text-utils/more.c +++ b/text-utils/more.c @@ -835,7 +835,8 @@ void prepare_line_buffer(void) if (nsz < LINSIZ) nsz = LINSIZ; - nline = xrealloc(Line, nsz); + /* alloc nsz and extra space for \n\0 */ + nline = xrealloc(Line, nsz + 2); Line = nline; LineLen = nsz; } -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
