To:               inn-bugs@isc.org
Copies to:        jef@ee.lbl.gov (Jef Poskanzer)
Subject:          inn 1.7.2 bug report (CheckIncludedText() array bounds)
Date sent:        Sun, 11 Jan 1998 19:30:53 PST
From:             Craig Leres <leres@ee.lbl.gov>

The CheckIncludedText() routines in frontends/inews.c and nnrpd/post.c
walk past the end of the article buffer (sometimes resulting in a core
dump) when the last character in the article is a newline. The problem
is also present in the December 21st snapshot.

		Craig
------
RCS file: RCS/inews.c,v
retrieving revision 1.1
diff -c -r1.1 inews.c
*** /tmp/,RCSt1018980	Sun Jan 11 19:23:01 1998
--- inews.c	Sun Jan 11 19:22:53 1998
***************
*** 856,862 ****
  	    i--;
  	    break;
  	}
! 	if ((p = strchr(p + 1, '\n')) == NULL)
  	    break;
      }
      if ((i * 2 > lines) && (lines > 40)) {
--- 856,862 ----
  	    i--;
  	    break;
  	}
! 	if (*p == '\0' || (p = strchr(p + 1, '\n')) == NULL)
  	    break;
      }
      if ((i * 2 > lines) && (lines > 40)) {
RCS file: RCS/post.c,v
retrieving revision 1.1
diff -c -r1.1 post.c
*** /tmp/,RCSt1019045	Sun Jan 11 19:24:39 1998
--- post.c	Sun Jan 11 19:24:25 1998
***************
*** 525,531 ****
  	    i--;
  	    break;
  	}
! 	if ((p = strchr(p + 1, '\n')) == NULL)
  	    break;
      }
      if ((i * 2 > lines) && (lines > 40))
--- 525,531 ----
  	    i--;
  	    break;
  	}
! 	if (*p == '\0' || (p = strchr(p + 1, '\n')) == NULL)
  	    break;
      }
      if ((i * 2 > lines) && (lines > 40))