Path: utzoo!utgpu!water!watmath!clyde!att!rutgers!mit-eddie!bloom-beacon!tut.cis.ohio-state.edu!cs.utexas.edu!sm.unisys.com!sdcsmb!sea!eggert
From: eggert@sm.unisys.com (Paul Eggert)
Newsgroups: comp.sources.bugs
Subject: patch for less v97: unset variable in exec_mca() can lead to core dump
Message-ID: 
Date: 26 Sep 88 16:27:42 GMT
Organization: Unisys Santa Monica
Lines: 20

In less version 97, a local variable 'n' in exec_mca() is not initialized.
If n's initial garbage is a small negative number, 'less' can dump core because
it allocates a buffer that is too small, and then overruns the buffer.
Here's a fix to line 309 of command.c.

*** less97/command.c	Mon Sep 26 09:03:50 1988
--- patched/command.c	Mon Sep 26 08:48:26 1988
***************
*** 307,311 ****
  			 * need to allocate for the expanded shell cmd.
  			 */
! 			for (fr = cmdbuf;  *fr != '\0';  fr++)
  				if (*fr == '%')
  					n += strlen(current_file);
--- 307,311 ----
  			 * need to allocate for the expanded shell cmd.
  			 */
! 			for (fr = cmdbuf, n = 0;  *fr != '\0';  fr++)
  				if (*fr == '%')
  					n += strlen(current_file);