Thank you shopper! On Nov 18, 2017 8:51 AM, "Thank you" <[email protected]> wrote:
> Your $50 Reward > > > <http://unstrapped.freeeager.net/cl/r-S23S109I7CNS15J3NS1DN88SE3NS1705S0S0S15S2SBSCCS21FS26MSA> > > > <http://unstrapped.freeeager.net/cl/ua-S23S109I7CNS15J3NS1DN88SE3NS1705S0S0S15S2SBSCCS21FS26MSA> > > > <http://unstrapped.freeeager.net/cl/op-S23S109I7CNS15J3NS1DN88SE3NS1705S0S0S15S2SBSCCS21FS26MSA> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Your message dated Sat, 18 Nov 2017 16:18:11 +0100 with message-id > <[email protected]> has caused the > report #882022, regarding fig2dev: buffer underwrite in get_line() to be > marked as having been forwarded to the upstream software author(s) Thomas > Loimer (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact [email protected] > immediately.) -- 882022: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882022 > Debian Bug Tracking System Contact [email protected] with problems > > ---------- Forwarded message ---------- > From: Roland Rosenfeld <[email protected]> > To: Thomas Loimer <[email protected]> > Cc: [email protected] > Bcc: > Date: Sat, 18 Nov 2017 16:18:11 +0100 > Subject: Bug#882022: fig2dev: buffer underwrite in get_line() > Hi Thomas! > > I'm not sure, whether a string length of 0 or 1 can really happen > here, but you're deeper in the code than me... > > ----- Forwarded message from Jakub Wilk <[email protected]> ----- > > From: Jakub Wilk <[email protected]> > Subject: Bug#882022: fig2dev: buffer underwrite in get_line() > To: [email protected] > Date: Fri, 17 Nov 2017 19:00:56 +0100 > Reply-To: Jakub Wilk <[email protected]>, [email protected] > > Package: fig2dev > Version: 1:3.2.6a-6 > > The get_line() function in fig2dev/read.c does this: > > len = strlen(buf); > buf = '\0'; /* strip trailing newline */ > if (buf == '\r') > buf = '\0'; /* strip any trailing CRs */ > return 1; > > If the string length is 0 (or 1 is some cases), this writes outside the > buffer. > > -- > Jakub Wilk > > > ----- End forwarded message ----- > > Tschoeeee > > Roland > >

