Bug#779573: bibtool: heap buffer overflow in the bibtool tests
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks, it sounds helpful: I have just forwarded your last tow email
to the mainstream maintainer: let wait for his feedback.
Jerome
On 02/03/15 16:27, Vincent Lefevre wrote:
> On 2015-03-02 16:10:43 +0100, Vincent Lefevre wrote:
>> rewrite.c:313 is:
>>
>> stack[stackp++] = field;
>>
>> With the context:
>>
>> if ( stackp > stacksize ) /* */
>> { stacksize += 8; /* */
>> if ( (stack=(Uchar**)realloc((char*)stack, /* */
>> stacksize*sizeof(char*)))==NULL)/* */
>> { OUT_OF_MEMORY("rule stack"); } /* */
>> } /* */
>> stack[stackp++] = field; /* */
>>
>> If I understand correctly, it seems that the 8-byte increase is not
>> sufficient.
>
> Actually, if stackp == stacksize, this is also bad.
> The test should be:
>
> if ( stackp >= stacksize )
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJU9INHAAoJEIC/w4IMSybjW4AH/1RyLwnnEZZXrNvHmqoNa3MA
BebZpsbErT2lE3WcCPolVLO62z14SmkA2qv2y7wpTrUhdgflr2y3SJnFDu3fB0Bw
RU69wMQcUZAWHl9dWgvex3we1ikaWA3uaEMd2WNUQA+y7gx+x72DHkTL7fWdtf8P
FG4GTnIz3sN4NqDy8tY0aO2E3poFBa8hJz2ONfuk3m0yEFjA8f+nMduam7H3cG7q
/qtevkZTXxwkWIvsd8m2XWVjt3Bt11OyCqAQIN3xlJ/M7ygZjPVohZUTD085Mt/d
XbtEmKY8FHpJ2YNQGmrHBgrZlYHhBDwkDKOUPY6Cu/RSMfqv0G1sOXcOrJBdhwA=
=+F8+
-----END PGP SIGNATURE-----
Reply to: