This bug has been there for ages, I think. It's unrelated to
the other bugs recently discussed, but I found it by code inspection
while looking into the other ones. I don't see any practical
way to test for it. I pushed this:
* src/sort.c (avoid_trashing_input): Fix a typo that could cause a
buffer overrun in theory. In practice this is extremely unlikely,
as it requires running out of file descriptors in a small merge,
presumably because some other process is hogging all the OS's file
descriptors.
---
src/sort.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/sort.c b/src/sort.c
index 63162ea..3321ddb 100644
--- a/src/sort.c
+++ b/src/sort.c
@@ -3613,9 +3613,8 @@ avoid_trashing_input (struct sortfile *files, size_t
ntemps,
files[i].name = temp;
files[i].pid = pid;
- if (i + num_merged < nfiles)
- memmove (&files[i + 1], &files[i + num_merged],
- num_merged * sizeof *files);
+ memmove (&files[i + 1], &files[i + num_merged],
+ (nfiles - (i + num_merged)) * sizeof *files);
ntemps += 1;
nfiles -= num_merged - 1;;
i += num_merged;
--
1.7.2
