imdave@cbnewsc.ATT.COM (david.e.bodenstab) (04/28/89)
When variable_expand() is called, it uses variable_buffer_output() to
append strings to the end of variable_buffer. However, at the end of
variable_expand(), there is the line "*o = '\0';". If the length of the
string in variable_buffer is exactly the current size of variable_buffer,
the assignment to *o will corrupt memory. Also, when there is nothing
to expand (no '$' found), strlen(p)+1 was used in the call to
variable_buffer_output(). This results in an unnecessary double NUL
at the end of the string. The patch follows:
Dave Bodenstab
...att!iwsl8!imdave
*** /tmp/,RCSt1a19651 Thu Apr 27 19:00:59 1989
--- variable.c Thu Apr 27 18:59:36 1989
***************
*** 1356,1362
p1 = index (p, '$');
! o = variable_buffer_output (o, p, p1 != 0 ? p1 - p : strlen (p) + 1);
if (p1 == 0)
break;
--- 1356,1362 -----
p1 = index (p, '$');
! o = variable_buffer_output (o, p, p1 != 0 ? p1 - p : strlen (p));
if (p1 == 0)
break;
***************
*** 1586,1592
register unsigned int newlen = length + (ptr - variable_buffer);
register char *new;
! if (newlen > variable_buffer_length)
{
variable_buffer_length = max (2 * variable_buffer_length, newlen + 100);
new = (char *) xrealloc (variable_buffer, variable_buffer_length);
--- 1586,1592 -----
register unsigned int newlen = length + (ptr - variable_buffer);
register char *new;
! if (newlen >= variable_buffer_length)
{
variable_buffer_length = max (2 * variable_buffer_length, newlen + 100);
new = (char *) xrealloc (variable_buffer, variable_buffer_length);
<<< end of patch >>>