This bug has been there for ages, I think. It's unrelated to the other bugs recently discussed, but I found it by code inspection while looking into the other ones. I don't see any practical way to test for it. I pushed this:
* src/sort.c (avoid_trashing_input): Fix a typo that could cause a buffer overrun in theory. In practice this is extremely unlikely, as it requires running out of file descriptors in a small merge, presumably because some other process is hogging all the OS's file descriptors. --- src/sort.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/sort.c b/src/sort.c index 63162ea..3321ddb 100644 --- a/src/sort.c +++ b/src/sort.c @@ -3613,9 +3613,8 @@ avoid_trashing_input (struct sortfile *files, size_t ntemps, files[i].name = temp; files[i].pid = pid; - if (i + num_merged < nfiles) - memmove (&files[i + 1], &files[i + num_merged], - num_merged * sizeof *files); + memmove (&files[i + 1], &files[i + num_merged], + (nfiles - (i + num_merged)) * sizeof *files); ntemps += 1; nfiles -= num_merged - 1;; i += num_merged; -- 1.7.2