Actually, there might be another issue:
>+{ while(buffilled+len>buflen) /* buf can't hold the text */
> buf=realloc(buf,buflen+=Bsize);If buffilled > INT_MAX - len, I think this loop won't work and so that one'll have the same overflow as the tmemmove will be executed without any resize. I'm not sure how it could be exploited, and I might be wrong, but maybe one should also check that? -- PEB
signature.asc
Description: PGP signature
