From tim@X2296  Tue Apr 29 18:43:00 1997
Received: from X2296 (ppp1552.on.sympatico.ca [206.172.249.16])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA23864
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Apr 1997 18:42:52 -0700 (PDT)
Received: (from tim@localhost) by X2296 (8.7.6/8.7.3) id VAA03236; Tue, 29 Apr 1997 21:41:51 -0400 (EDT)
Message-Id: <199704300141.VAA03236@X2296>
Date: Tue, 29 Apr 1997 21:41:51 -0400 (EDT)
From: Tim.Vanderhoek@X2296
Reply-To: ac199@hwcn.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: vasprintf() is stupid
X-Send-Pr-Version: 3.2

>Number:         3422
>Category:       bin
>Synopsis:       vasprintf() doesn't work.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 29 18:50:01 PDT 1997
>Closed-Date:    Sat Jul 5 11:51:13 PDT 1997
>Last-Modified:  Sat Jul  5 11:51:55 PDT 1997
>Originator:     Tim Vanderhoek
>Release:        FreeBSD 2.2-961006-SNAP i386
>Organization:
League of the Missing
>Environment:

vasprintf.c grabbed from -current.

>Description:

It's a simple off-by-one error...  This occurs in vasprintf.c in the
case where the size of the string is such that it occurs.  Specifically,
it must be such that after the vfprintf() call, h.left == 0.

Recall from line #69 of vasprintf.c that h.base is allocatted the
following space:  newbuf = realloc(h->base, h->size);

However, on line #116 of vasprintf.c, where h.left = 0, we
do:  h.base[h.size - 0] = '\0';

This is not good, because it can do bad things such as causing learning
curves in inexperienced hackers such as me.  OTOH, when one doesn't have
a timeschedule, chasing after these things can be pretty fun!  :)

>How-To-Repeat:

Ha!  You think I've got the time to spend trying to reinvent the
specific conditions that show this bug!?  :)  If you really must,
grab 80k gzipped sources from my computer and watch as static strings
local to distant functions suddenly disappear for no reason.

>Fix:

*** old.vasprintf.c	Tue Apr 29 21:32:00 1997
--- vasprintf.c	Tue Apr 29 21:31:45 1997
***************
*** 111,118 ****
  	if (h.base == NULL)	/* failed to realloc in writehook */
  		return (-1);
  
- 	h.base[h.size - h.left] = '\0';
  	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
  	if (*str == NULL)	/* failed to realloc it to actual size */
  		*str = h.base;	/* return oversize buffer */
  	return (ret);
--- 111,118 ----
  	if (h.base == NULL)	/* failed to realloc in writehook */
  		return (-1);
  
  	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
+ 	(*str)[h.size - h.left] = '\0';
  	if (*str == NULL)	/* failed to realloc it to actual size */
  		*str = h.base;	/* return oversize buffer */
  	return (ret);
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sat Jul 5 11:51:13 PDT 1997 
State-Changed-Why:  
Duplicate for bin/3451.  I'm closing this one instead of that one because 
that one has an audit-trail. 
>Unformatted:
