Hi
libedit miscalculates the amount of space needed for constructing it's
wchar_t version of argv, causing it to overrun the buffer.
I don't see how the output of mbstowcs can be longer than
(sum(strlen(argv)) * sizeof (wchar_t)) so this fix should work:
ok?
Index: chartype.c
===================================================================
RCS file: /cvs/src/lib/libedit/chartype.c,v
retrieving revision 1.3
diff -u -p -r1.3 chartype.c
--- chartype.c 7 Jul 2011 05:40:42 -0000 1.3
+++ chartype.c 15 Nov 2011 00:38:44 -0000
@@ -147,7 +147,7 @@ ct_decode_argv(int argc, const char *arg
* the argv strings. */
for (i = 0, bufspace = 0; i < argc; ++i)
bufspace += argv[i] ? strlen(argv[i]) + 1 : 0;
- ct_conv_buff_resize(conv, 0, bufspace);
+ ct_conv_buff_resize(conv, 0, bufspace * sizeof(*p));
if (!conv->wsize)
return NULL;
