ejh@slu70.UUCP (eric j. haug) (07/26/84)
In header.c version 2.20 6/24/83 i just noticed a bug that causes expire to go into an endless loop trying to cancel/unlink an article. This bug also causes other problems, if not correctly fixed throughout the news sources. In header.c/hread() near the beginning, if TRUE, a loop clears the header structure. This loop does not take into account that there is an array of character pointers initialized by calls to malloc (in frmread()). Nor is the return value from malloc (line ~210) checked against (char *)NULL. The following strcpy of course overwrites low data space when malloc fails, which it eventually has to (on a PDP11) since free() is never called. Just writing a loop to call free(), if any of the char * are not zero, fails because some calls to hread pass pointers to space on the stack. So the best fix is nontrivial, i elected to or (|) an additional flag with TRUE and do the calls to free if that flag is set. This is currently only done in expire.c. In frmread the return from malloc is tested, and the strcpy ignored when NULL returned. It seems to me that this bug would not be noticed on a vmunix machine.