Should this use reallocarray() instead, to catch *2 overflow? (Really it will crash at that point. But using reallocarray can identify it with a clean error)
> The bug is in fmt. If len == length the buf[len] = '\0' statement is > an overflow, which happens if the line is exactly 100 chars long. > > This fixes it, > > -Otto > > Index: fmt.c > =================================================================== > RCS file: /cvs/src/usr.bin/fmt/fmt.c,v > retrieving revision 1.38 > diff -u -p -r1.38 fmt.c > --- fmt.c 20 Feb 2017 15:48:00 -0000 1.38 > +++ fmt.c 17 Oct 2018 16:45:57 -0000 > @@ -699,6 +699,10 @@ get_line(FILE *stream) > } > while (len > 0 && isspace((unsigned char)buf[len-1])) > --len; > + if (len >= length) { > + length *= 2; > + buf = xrealloc(buf, length); > + } > buf[len] = '\0'; > return (len > 0 || ch != EOF) ? buf : NULL; > } >