From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; MSIE 5.01; Windows 98;) Description of problem: Here is the code in question: for (; optind < argc; optind++) { int s = strlen(argv[optind]); char *endp = &command[command_length]; *endp = ' '; command_length += s + 1; command = realloc(command, command_length + 1); strcpy(endp + 1, argv[optind]); } Study it carefully. Looks fine doesn't it. Well it isn't. The 'endp' is set to point somewhere in relation to 'command' Then 'command' is changed via realloc. Then 'endp' is used again like nothing has changed! Version-Release number of selected component (if applicable): 2.0.13-8 How reproducible: Always Steps to Reproduce: 1. Read the code 2. 3. Actual Results: Depends on realloc/malloc implementation. At worse segmentation error, but usually just garbled result. Unless your system allocate memory in rather large chunks. Additional info:
This is fixed in 2.0.16, we need to upgrade.
*** Bug 106399 has been marked as a duplicate of this bug. ***
Eek. Ignore a mistaken dup.
Fixed in latest release 3.1.15