Re: jot(1): one-byte overflow in error path

2017-12-29 Thread Theo Buehler
On Sat, Dec 30, 2017 at 05:55:57AM +, kshe wrote: > Hi, > > If the format string ends in an invalid specifier like `%l', p will > already point to the trailing NUL upon entering the switch, wherein the > instruction > > *++p = '\0'; > > will write another NUL after it, but there is no

jot(1): one-byte overflow in error path

2017-12-29 Thread kshe
Hi, If the format string ends in an invalid specifier like `%l', p will already point to the trailing NUL upon entering the switch, wherein the instruction *++p = '\0'; will write another NUL after it, but there is no guarantee that the buffer extends beyond that first NUL; thus, in the