konijn@ace.UUCP (03/24/87)
Index: /usr/src/new/mh/sbr/m_getfld.c Description: The MH package as distributed on the Florence EUUG tape and with BSD 4.3 was tuned for speed on a vax. It shows. The routine matchc() is written both in vax assembler and C code. The C version can find a match even after the end of the string to be searched. This means inc(1) can copy a chunk of data too large to fit the output buffer, corrupting the malloc(3) administration. Repeat-By: Receive a message with lots of "\nFro" strings in it, hope for a specific constellation of buffer and message sizes and watch inc(1) drop core. Fix: Apply the following diff to ~mh/sbr/m_getfld.c for a new implementation of matchc(). *** m_getfld.c Fri Mar 20 15:59:20 1987 --- /tmp/1 Fri Mar 20 16:47:35 1987 *************** *** 579,605 **** register int strln; register char *str; { ! register char *s; ! register char *p; ! register int pcnt; ! register char pfirst; ! strln -= patln; ! patln --; ! pfirst = *pat++; ! while (strln-- >= 0) { ! s = str; ! if (*s++ == pfirst) { ! p = pat; ! pcnt = patln; ! do { ! if (pcnt-- == 0) ! return str; ! } while (*p++ == *s++); ! } ! str++; } - return 0; } #endif --- 579,601 ---- register int strln; register char *str; { ! register char *pp; ! register int pl; ! register char pc = *pat++; ! for(;;) { ! while (pc != *str++ && --strln > 0) ! ; ! if (strln < 0) ! return 0; ! ! pp = pat; pl = patln; ! while (--pl > 0 && *str++ == *pp++) ! ; ! str += (pl - patln); ! if (pl == 0) ! return (str); } } #endif --------- Erik van Konijnenburg, <konijn@ace.nl>, ...!mcvax!ace!konijn, ACE Associated Computer Experts bv, Amsterdam, the Netherlands
konijn@ace.UUCP (04/14/87)
Index: /usr/src/new/mh/uip/scansbr.c Description: The inc(1) command, part of MH-6.4, will loose mail if writing in a folder fails. This happens only for small messages. Repeat-By: For System V systems: sh $ date | mail me $ ulimit -f 0 $ inc incorporating new mail ... $ inc no mail to incorporate ... $ scan last 25 empty $ ^D Fix: Test return value of fclose(). *** /tmp/1 Tue Apr 14 20:27:45 1987 --- scansbr.c Tue Apr 14 20:16:01 1987 *************** *** 263,269 **** *--nxtbuf = tmpbuf; if (outnum) ! (void) fclose (scnout); return (state != FILEEOF ? SCNERR : encrypted ? SCNENC : SCNMSG); } --- 263,270 ---- *--nxtbuf = tmpbuf; if (outnum) ! if (fclose (scnout) == EOF) ! adios (scnmsg, "Write error on"); return (state != FILEEOF ? SCNERR : encrypted ? SCNENC : SCNMSG); } --------- Erik van Konijnenburg, <konijn@ace.nl>, ...!mcvax!ace!konijn, ACE Associated Computer Experts bv, Amsterdam, the Netherlands