I have finaly spotted the stupid error!

Near the top of launch_subwin() in run.c is [1] the following:

	command = (char *)malloc(MAXBUF * sizeof(char));
	for (p = *args; p != NULL; p = *++args) {
		strcat(command, p);
		strcat(command, " ");
	}

This would work rather better if:
	command[0] = 0;
was added after the malloc() call!

Finally spotted after seeing the result of many command lines being
appended to the same piece of memory.
It would have been easier to spot if there was a free(command) call at
the bottom of the routine! Lacking such a call the compiler throws away
the address of the buffer - so even though the overwrite was obviously
from the above code (and I couldn't find the 'lost' buffer from a
known previous incantation) the error is still hard to spot!

How do we get the fix into 1.6.1?

	David

[1] in 1.6, but removed well before I started hacking sysinst.

-- 
David Laight: david@l8s.co.uk