john@polyof.UUCP ( John Buck ) (12/26/85)
The in line overstriking function of n/troff is broken. This bug exists in all version of *roff that I looked at (including DWB ditroff). Bug follows: here is a big overprint: \o'abcdefghijklmnopqrstuvwxyz123356798' The bug was found cause someone made a mistake and forgot to put the closing delimiter on the \o command, and it caused lots of overstrikes (to the end of line actually). The bug is that the overstrike buffer is declared to be 10 long or some such, and a test IS made so that if you ask for more than 10 overprints, it breaks out of its loop. It then takes the liberty of doing: while(n < NOVR){ blah[n] = getc(); blah1[n] = size(c); n++; } blah[n] = 0; blah1[n] = 0; The arrays blah[] and blah1[] are declared as such: char blah[NOVR], blah1[NOVR]; Needless to say, setting the element beyond the end of blah[] and/or blah1[] often has unexpected results. In this case, a core dump since it creamed a return address on the stack. Bug is in n9.c, look for /^setov/ THe bug is obvious. John Buck Polytechnic Inst. of NY Route 110 Farmingdale, NY 11735 decvax!mcnc!philabs!ron1!polyof!john | +--!rti-sel!john