Should this use reallocarray() instead, to catch *2 overflow?
(Really it will crash at that point. But using reallocarray can
identify it with a clean error)
> The bug is in fmt. If len == length the buf[len] = '\0' statement is
> an overflow, which happens if the line is exactly 100 chars long.
>
> This fixes it,
>
> -Otto
>
> Index: fmt.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/fmt/fmt.c,v
> retrieving revision 1.38
> diff -u -p -r1.38 fmt.c
> --- fmt.c 20 Feb 2017 15:48:00 -0000 1.38
> +++ fmt.c 17 Oct 2018 16:45:57 -0000
> @@ -699,6 +699,10 @@ get_line(FILE *stream)
> }
> while (len > 0 && isspace((unsigned char)buf[len-1]))
> --len;
> + if (len >= length) {
> + length *= 2;
> + buf = xrealloc(buf, length);
> + }
> buf[len] = '\0';
> return (len > 0 || ch != EOF) ? buf : NULL;
> }
>
