Hello Adam Majer! Stumbled across your bug report while browsing over release-critical ones...
I haven't even looked at the lpe source, but just from looking at the hunk included as context in your patch it looks like the source could really use some wider review then just targeted fixes. On Tue, Dec 23, 2014 at 09:34:20AM -0600, Adam Majer wrote: [...] > diff -u lpe-1.2.7/src/buffer.c lpe-1.2.7/src/buffer.c > --- lpe-1.2.7/src/buffer.c 2014-06-23 22:53:33.582593198 -0500 > +++ lpe-1.2.7/src/buffer.c 2014-12-23 09:08:54.888625050 -0600 > @@ -158,8 +158,8 @@ > int (*accept) (buffer *); > Consider the case where strlen(ent->d_name) == basename_len. > if (strlen(ent->d_name) > basename_len) { This should probably use >= . ^^^^ The strlen() function calculates the length of the string s, => excluding the terminating null byte ('\0'). > - basename_len = strlen(ent->d_name) + 1; > - name = realloc(name, (basename-name) + basename_len); > + basename_len = strlen(ent->d_name); > + name = realloc(name, (basename-name) + basename_len + 1); > basename = name + basename_off; > } > strcpy (basename, ent->d_name); The strcpy() function copies the string pointed to by src, => including the terminating null byte ('\0'), ... As mentioned, I haven't looked at the full source so I might very well be missing something. As I understood it this is the second attempt at fixing an issue here. Possibly a wider review of how to avoid off-by-one in the entire source could be useful. Regards, Andreas Henriksson -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org