Checkk!

On Nov 18, 2017 8:52 AM, "Thank you" <[email protected]> wrote:

Your $50 Reward

<http://unstrapped.freeeager.net/cl/r-S23S109I7CNS15J4AS1DN8ASE3NS1705S0S0S15S2SBSCCS21FS26MSA>

<http://unstrapped.freeeager.net/cl/ua-S23S109I7CNS15J4AS1DN8ASE3NS1705S0S0S15S2SBSCCS21FS26MSA>

<http://unstrapped.freeeager.net/cl/op-S23S109I7CNS15J4AS1DN8ASE3NS1705S0S0S15S2SBSCCS21FS26MSA>





























































































































Your message dated Sat, 18 Nov 2017 16:18:11 +0100 with message-id
<[email protected]> has caused the
report #882022, regarding fig2dev: buffer underwrite in get_line() to be
marked as having been forwarded to the upstream software author(s) Thomas
Loimer (NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.) -- 882022:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882022
Debian Bug Tracking System Contact [email protected] with problems

---------- Forwarded message ----------
From: Roland Rosenfeld <[email protected]>
To: Thomas Loimer <[email protected]>
Cc: [email protected]
Bcc:
Date: Sat, 18 Nov 2017 16:18:11 +0100
Subject: Bug#882022: fig2dev: buffer underwrite in get_line()
Hi Thomas!

I'm not sure, whether a string length of 0 or 1 can really happen
here, but you're deeper in the code than me...

----- Forwarded message from Jakub Wilk <[email protected]> -----

From: Jakub Wilk <[email protected]>
Subject: Bug#882022: fig2dev: buffer underwrite in get_line()
To: [email protected]
Date: Fri, 17 Nov 2017 19:00:56 +0100
Reply-To: Jakub Wilk <[email protected]>, [email protected]

Package: fig2dev
Version: 1:3.2.6a-6

The get_line() function in fig2dev/read.c does this:

  len = strlen(buf);
  buf = '\0';                   /* strip trailing newline */
  if (buf == '\r')
      buf = '\0';               /* strip any trailing CRs */
  return 1;

If the string length is 0 (or 1 is some cases), this writes outside the
buffer.

--
Jakub Wilk


----- End forwarded message -----

Tschoeeee

        Roland

Reply via email to