Description of problem: dos2unix short-by-1 malloc error causes buffer overrun in rename(), thus leading to failure Version-Release number of selected component (if applicable): 3.1-21 How reproducible: on IA32, at least, dos2unix /path/that's/multiple/of/4/bytes/file Steps to Reproduce: 1. as above 2. 3. Actual results: dos2unix: converting file /path/that's/multiple/of/4/bytes/file to UNIX format ... dos2unix: problems renaming '/path/that's/multiple/of/4/bytes/d2utmp8tkzlo^A^O' to '/path/that's/multiple/of/4/bytes/file' output file remains in '/tmp/fsrdata/temp/m1olt00/moebs/d2utmp8tkzlo^A^O' dos2unix: problems converting file /path/that's/multiple/of/4/bytes/file in the above, not the presence of the ^A^O (meant to represent the control characters) at the end of the mkstemp()-derived temp file name. in an strace(1), the same garbage shows up at the end of the failed rename() syscall, but not in the mkstemp()'s open() syscall Expected results: dos2unix: converting file /path/that's/multiple/of/4/bytes/file to UNIX format ... Additional info: looks like mkstemp() creates the file and stuffs the file name in the too-small buffer OK but that rename() and even the *printf()'s read beyond the end of the buffer because the terminal null gets overwritten by something else on the heap
Created attachment 126038 [details] fixes the short-by-1 malloc() and fixes an inconsequential double-close()
*** This bug has been marked as a duplicate of 174016 ***