imdave@cbnewsc.ATT.COM (david.e.bodenstab) (04/28/89)
When variable_expand() is called, it uses variable_buffer_output() to append strings to the end of variable_buffer. However, at the end of variable_expand(), there is the line "*o = '\0';". If the length of the string in variable_buffer is exactly the current size of variable_buffer, the assignment to *o will corrupt memory. Also, when there is nothing to expand (no '$' found), strlen(p)+1 was used in the call to variable_buffer_output(). This results in an unnecessary double NUL at the end of the string. The patch follows: Dave Bodenstab ...att!iwsl8!imdave *** /tmp/,RCSt1a19651 Thu Apr 27 19:00:59 1989 --- variable.c Thu Apr 27 18:59:36 1989 *************** *** 1356,1362 p1 = index (p, '$'); ! o = variable_buffer_output (o, p, p1 != 0 ? p1 - p : strlen (p) + 1); if (p1 == 0) break; --- 1356,1362 ----- p1 = index (p, '$'); ! o = variable_buffer_output (o, p, p1 != 0 ? p1 - p : strlen (p)); if (p1 == 0) break; *************** *** 1586,1592 register unsigned int newlen = length + (ptr - variable_buffer); register char *new; ! if (newlen > variable_buffer_length) { variable_buffer_length = max (2 * variable_buffer_length, newlen + 100); new = (char *) xrealloc (variable_buffer, variable_buffer_length); --- 1586,1592 ----- register unsigned int newlen = length + (ptr - variable_buffer); register char *new; ! if (newlen >= variable_buffer_length) { variable_buffer_length = max (2 * variable_buffer_length, newlen + 100); new = (char *) xrealloc (variable_buffer, variable_buffer_length); <<< end of patch >>>