Bug 70699

Summary: Typo in ports/devel/libedit, possible buffer overflow in libedit/history.c:history_save()
Product: Ports & Packages Reporter: Sergey S. Kostyliov <rathamahata>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Sergey S. Kostyliov 2004-08-20 11:40:25 UTC
I believe that there is a possible buffer overflow in
libedit/history.c:history_save(). The related code is
mostly common for all *BSD, so please see
http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=26725
for further details.

Fix: 

http://lists.mysql.com/internals/16119
How-To-Repeat: http://bugs.mysql.com/bug.php?id=4696
Comment 1 Sergey S. Kostyliov 2004-08-21 17:24:20 UTC
Otto Moerbeek <otto@drijf.net>
has just pointed out that the:
        max_size = (len + 1023) & ~1023;
patch is not enough (see http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00092.html)

"... If 
len is a multiple of 1024, 

max_size = (len + 1023) & ~1023;

wil not increase it. Should probably be

max_size = (len + 1024) & ~1023;"

It looks like his statement is correct and either his patch or something like:
        http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00096.html
(which is a bit more intrusive but seems more self documented to me) is needed.

-- 
Sergey S. Kostyliov <rathamahata@ehouse.ru>
Jabber ID: rathamahata@jabber.org
Comment 2 Volker Stolz freebsd_committer 2004-09-02 15:02:38 UTC
State Changed
From-To: open->feedback

Could somebody submit the correct patch, please?
Comment 3 Sergey Matveychuk freebsd_committer 2004-11-22 21:54:11 UTC
State Changed
From-To: feedback->closed

Committed, thanks!