>Number:         8676
>Category:       bin
>Synopsis:       the program writes one byte past the end of allocated space
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 24 13:20:59 1999
>Last-Modified:
>Originator:     Paul Shupak
>Organization:
>Release:        Sun Oct 24 1999
>Environment:
	
System: NetBSD cobalt 1.4L NetBSD 1.4L (COBALT) #213: Thu Oct 21 22:12:57 PDT 1999 paul@cobalt:/usr/src/sys/arch/i386/compile/COBALT i386


>Description:

		The hexdump programs allocates insufficient space for
	a (re-)formatted string.  The space allocated was historically
	correct before the addition on the 'q' modifier to printf:  The
	space needed is original string length plus either one or *two*
	characters for the "cs" array plus one more for the null.

>How-To-Repeat:

	Check by examination:  No problem has ever been seen in any *BSD
	based system ( the default allocator either rounds up the request,
	or the returned area contains at least one "extra" byte ).  There
	are no problems unless a stricter memory allocator is used ( e.g.
	compile and run under WinNT with Visual C 6.0 ).

>Fix:

*** parse.c-ORIG	Sun Dec 20 04:17:39 1998
--- parse.c		Sun Dec 24 12:49:20 1998
***************
*** 397,401 ****
  			savech = *p2;
  			p1[0] = '\0';
! 			pr->fmt = emalloc(strlen(fmtp) + 2);
  			(void)strcpy(pr->fmt, fmtp);
  			(void)strcat(pr->fmt, cs);
--- 397,401 ----
  			savech = *p2;
  			p1[0] = '\0';
! 			pr->fmt = emalloc(strlen(fmtp) + 2 + (cs[1] != '\0'));
  			(void)strcpy(pr->fmt, fmtp);
  			(void)strcat(pr->fmt, cs);
>Audit-Trail:
>Unformatted: