Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!husc6!sri-unix!hplabs!decwrl!pyramid!oliveb!intelca!intsc!inthap!john
From: john@inthap.UUCP
Newsgroups: news.software.b
Subject: Another News 2.11 patch level 3 bug
Message-ID: <378@inthap.UUCP>
Date: Thu, 26-Feb-87 20:33:50 EST
Article-I.D.: inthap.378
Posted: Thu Feb 26 20:33:50 1987
Date-Received: Sun, 1-Mar-87 12:50:17 EST
Organization: Intel Corp., Hauppauge, NY
Lines: 22

Here is the description and fix for a bug in the new 'l' and 'L' commands
added to news 2.11 by patch #3. The bug is in the list_group routine
in file rfuncs.c

	Patch #3 adds the new vnews 'L' and 'l' commands, but contains
	a bug. Variable lg_array is a static pointing to a data area
	used by procedure list_group. The first time list_group is
	called lg_array is null and space for it is malloced. At the
	end of list_group, lg_array is freed but the pointer is not
	set back to null. On the next call to list_group, lg_array
	is NOT null and no space is allocated causing the heap to
	be over written by lg_array.

	The fix is obvious, either take out the call to free at
	the end of list_group or remove the test for lg_array = null
	from around the malloc of lg_array at the start of list_group.

-- 
John Casey	Intel Corporation	(516) 231-3300
   oliveb!intelca!intsc! \
bellcore!motown!mergvax!  >inthap!john
philabs!polycatt!polyof! /