Subject: bin/32305: fmt overruns buffer if max length exceeds BUFSIZ
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: seebs <seebs@vash.cel.plethora.net>
List: netbsd-bugs
Date: 12/14/2005 20:50:01
>Number: 32305
>Category: bin
>Synopsis: fmt overruns a buffer if max length exceeds BUFSIZ
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Dec 14 20:50:00 +0000 2005
>Originator: seebs
>Release: NetBSD 3.99.11
>Organization:
>Environment:
System: NetBSD vash.cel.plethora.net 3.99.11 NetBSD 3.99.11 (VASH) #0: Sat Nov 12 10:21:22 CST 2005 seebs@vash.cel.plethora.net:/usr/src/sys/arch/i386/compile/VASH i386
Architecture: i386
Machine: i386
>Description:
fmt has a fixed buffer into which words are appended up to
goal_length, but the buffer is a static array of BUFSIZ characters.
>How-To-Repeat:
Use fmt to format a large document, note that characters around 1029
or so on long lines get corrupted.
>Fix:
Allocate outbuf dynamically.
*** fmt.orig Wed Dec 14 14:43:01 2005
--- fmt.c Wed Dec 14 14:43:22 2005
***************
*** 72,77 ****
--- 72,80 ----
int mark; /* Last place we saw a head line */
int center;
+ char *outbuf; /* Sandbagged output line image */
+ char *outp; /* Pointer in above */
+
char *headnames[] = {"To", "Subject", "Cc", 0};
static void fmt(FILE *);
***************
*** 131,136 ****
--- 134,143 ----
"goal length");
exit(1);
}
+ outbuf = malloc(max_length + 1);
+ if (!outbuf) {
+ errx("Can't allocate %d characters", max_length + 1);
+ }
if (argc < 2) {
fmt(stdin);
oflush();
***************
*** 386,393 ****
* there ain't nothing in there yet. At the bottom of this whole mess,
* leading tabs are reinserted.
*/
- char outbuf[BUFSIZ]; /* Sandbagged output line image */
- char *outp; /* Pointer in above */
/*
* Initialize the output section.
--- 393,398 ----