Joshua Rogers pisze:
Hi,
>
> In fio.c on line 592, "cp = expand(buf);" is run, which returns that
> argument.
> Below it on line 594, "return(cp);" is run, but it points to an
> out-of-scope 'buf' variable.
The expand() function returns its argument as-is in one place only:
if (strpbrk(name, "~{[*?$`'\"\\") == NULL)
return(name);
The buf variable is initialized in line 593 to a string that starts with
~ character, so the above strpbrk() call won't return NULL, so expand()
will continue its execution until it reaches:
if (!*xname)
return (NULL);
else
return(savestr(xname));
Which means that it will return either NULL or a pointer to a memory
allocated on heap (savestr() calls salloc() which in turn calls malloc()).
I agree that most probably it would be safer to use `return
savestr(name)' instead of `return name' in the strpbrk() check, and
actually upstream has recently changed it that way (see [1]), but
unfortunately I have missed that change while merging Debian patches, so
the change is reverted in Debian, see [2].
Anyway as I wrote above I cannot see any possibility that the
getdeadletter() function will return pointer to stack variable, but I am
leaving the bug report open not to forget about applying the upstream
change into the patch [2].
[1]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/fio.c.diff?r1=1.33&r2=1.34&f=h
[2]
http://anonscm.debian.org/cgit/users/robert/bsd-mailx.git/tree/debian/patches/21-Use-wordexpr-instead-of-echo.patch?id=c6aa916880b0a6691a1e0cc64f3afbf742420dcd
Thanks a lot,
robert
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
