>Number:         2595
>Category:       bin
>Synopsis:       bc/dc core dump when outputting in bases other than 10
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul  2 05:50:03 1996
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 20 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        1.2_ALPHA (NetBSD-current as of July 1, 1996)
>Environment:
System: NetBSD apm2-121.realtime.net 1.2_BETA NetBSD 1.2_BETA (SPIFF) #17: Thu Jun 27 19:47:22 CDT 1996 khym@dahan.metonymy.com:/usr/src/sys/arch/i386/compile/SPIFF i386


>Description:
dc and bc will dump core when printing integers if the output base is
set to something other than 10.

This is caused by t_num being freed at line 1345 of bc's number.c
without being previously allocated. t_num is only allocated if the
number to be printed has a fractional part.
>How-To-Repeat:
% dc
8o1p
Bus error (core dumped)
% bc
bc 1.03 (Nov 2, 1994)
Copyright (C) 1991, 1992, 1993, 1994 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'. 
obase=8
print 1
Bus error (core dumped)
>Fix:
Either always allocate t_num, or don't free it if it wasn't allocated.
>Audit-Trail:
>Unformatted: