Andrew Valencia wrote:
>
> [Tim Newsham <newsham@uhunix.uhcc.Hawaii.Edu> writes:]
>
> >static
> >__fprintf(FILE *fp, char *fmt, int *argptr)
> > char buf[BUFSIZ], *p, c;
> >...
> >this is called by fprintf() as well as printf(). fixed sized
> >buffer used on the stack. Could be the source of many core dumps
> >and security violations (ie. old fingerd bug).
>
> Well, now that we have a telnet server I guess this matters more. I'm open
> to patches; the obvious one just caps _doscan() at a limit.
I'll take a look at this one - I've already done a lot of changes to add all
of the vprintf() family.
> > switch((scale<<4) | size) {
> >[...]
> > case (INT<<3) | LONG:
> >all the other cases were << 4 like the switch().
>
> This is code imported from BSD, and the current scanf() code is very
> different. It sure looks wrong to me, and yet it seems to work. I just
> traced through the code, and the assignment case for the longword *is*
> reached.
If you look at the definition INT is 0 anyway - I guess this is a bug, but
0 << 3 is still 0 :-)
Regards,
Dave
Received on Tue Aug 30 08:15:33 1994
This archive was generated by hypermail 2.1.8 : Thu Sep 22 2005 - 15:11:45 PDT