Subject: bin/15000: mail(1) doesn't reposition pointer correctly
To: None <>
From: None <>
List: netbsd-bugs
Date: 12/18/2001 14:29:01
>Number:         15000
>Category:       bin
>Synopsis:       mail(1) doesn't reposition pointer correctly
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 18 14:29:00 PST 2001
>Originator:     Mike Heffner
>Release:        N/A
While merging the NetBSD changes into the FreeBSD version of mail(1),
I found that there is a bug in which the 'dot' pointer can become corrupt.
In fio.c::makemessage() the 'dot' pointer is reset for a malloc() operation,
but if realloc() is called, and the buffer is moved in memory, the dot pointer
will point to a stale buffer. Further operations using the dot variable will
Noticed when using 'set autoinc' and receiving mail while mail(1) is running
in interactive mode. Various operations would fail with negative message
This patch directly fixes the problem:

--- fio.c.orig  Tue Dec 18 01:23:20 2001
+++ fio.c       Tue Dec 18 01:24:08 2001
@@ -284,10 +284,12 @@
        size_t size = (msgCount + 1) * sizeof(struct message);

        if (omsgCount) {
+               int dotoff = message != NULL ? dot - message : 0;
                message = (struct message *)realloc(message, size);
                if (message == 0)
                        errx(1, "Insufficient memory for %d messages\n",
+               dot = &message[dotoff];
        } else {
                if (message != 0)

or, the following patch by Todd Miller cleans up the whole function to
be simpler: