From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; MSIE 5.01; Windows 98;)

Description of problem:
Here is the code in question:

        for (; optind < argc; optind++) {
                int s = strlen(argv[optind]);
                char *endp = &command[command_length];
                *endp = ' ';
                command_length += s + 1;
                command = realloc(command, command_length + 1);
                strcpy(endp + 1, argv[optind]);
        }

Study it carefully.  Looks fine doesn't it.
Well it isn't.

The 'endp' is set to point somewhere in relation to 'command'
Then 'command' is changed via realloc.
Then 'endp' is used again like nothing has changed!


Version-Release number of selected component (if applicable):
2.0.13-8

How reproducible:
Always

Steps to Reproduce:
1. Read the code
2. 
3.
    

Actual Results:  Depends on realloc/malloc implementation.
At worse segmentation error, but usually just garbled result.
Unless your system allocate memory in rather large chunks.

Additional info: