Your message dated Sat, 18 Nov 2017 16:18:11 +0100
with message-id <20171118151811.zmc3avxjwvqml...@dinghy.sail.spinnaker.de>
has caused the report #882022,
regarding fig2dev: buffer underwrite in get_line()
to be marked as having been forwarded to the upstream software
author(s) Thomas Loimer <thomas.loi...@tuwien.ac.at>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
882022: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882022
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Hi Thomas!
I'm not sure, whether a string length of 0 or 1 can really happen
here, but you're deeper in the code than me...
----- Forwarded message from Jakub Wilk <jw...@jwilk.net> -----
From: Jakub Wilk <jw...@jwilk.net>
Subject: Bug#882022: fig2dev: buffer underwrite in get_line()
To: sub...@bugs.debian.org
Date: Fri, 17 Nov 2017 19:00:56 +0100
Reply-To: Jakub Wilk <jw...@jwilk.net>, 882...@bugs.debian.org
Package: fig2dev
Version: 1:3.2.6a-6
The get_line() function in fig2dev/read.c does this:
len = strlen(buf);
buf[len-1] = '\0'; /* strip trailing newline */
if (buf[len-2] == '\r')
buf[len-2] = '\0'; /* strip any trailing CRs */
return 1;
If the string length is 0 (or 1 is some cases), this writes outside the
buffer.
--
Jakub Wilk
----- End forwarded message -----
Tschoeeee
Roland
--- End Message ---
