[EMAIL PROTECTED] writes:
> builtins/evalfile.c
> _evalfile()
> {
> fd = open (filename, O_RDONLY);
> fstat (fd, &finfo);
> file_size = (size_t)finfo.st_size;
> string = (char *)xmalloc (1 + file_size);
> result = read (fd, string, file_size);
> string[result] = '\0';
> ;;;
> }
> (I checked bash-3.0 too)
>
> When the file size is very large or the filesystem is poor, the read(2)
> systemcall may not read all of the file. In this case, the return value
> will be shorter than the requested bytes.
Even worse, if read returns -1 then this writes beyond array bounds.
Also, file_size is size_t, but result is only int.
Andreas.
--
Andreas Schwab, SuSE Labs, [EMAIL PROTECTED]
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
_______________________________________________
Bug-bash mailing list
Bug-bash@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-bash
