On Tue, Jul 11, 2023 at 11:48:57AM +0100, Stuart Henderson wrote: > I ran into a segfault with patch(1) in a port, here's a test case with a > minimal reproducer. > > $ echo foo > test > $ perl -e 'print "--- test.orig\n+++ test\n@@ -1,1 +1,2 @@\n foo\n+" . 'x' x > 32768 . "\n\\ No newline at end of file\n"' > test.patch
patch maintains the line lengths in an array of shorts p_len[] and doesn't check for overflows. This long line overflows the length, so you get a bad buffer underrun when doing 's[p_len[filldst - 1]] = 0;'
