On Mon, Mar 12, 2007 at 04:27:55PM -0800, Bill Fenner wrote:

There are two fixed-size buffers in this code path:

• getValueString's s[100]. This one is gaily overflowed, with

sprintf(&s[strlen(s)], ...)

• fprint's s[200]. This one is not overflowed, but this overflow causes the syntax error, since fprint(f, ""%s"", getValueString(smiValue, smiType)); loses the trailing quote.

My workaround was to change them to s[500] and s[1000], respectively. A more robust workaround might be to output the trailing quote with a different fprint() call, so that a too-long value creates a valid perl program with invalid data. (I don't know if that's better or worse.)

If vasprintf() is available, fprint could use that to avoid a fixed-length buffer. I don't have any suggestions for getValueString's fixed-length buffer.

This is a long standing known bug. Since we introduced smiVasprintf() some time ago, which is essentially vasprintf(), I have simply changed all fprint()s to use a dynamically allocated string.

The getValueString() functions also should be changed to use a buffer that grows dynamically but this is more tricky to get done; so for now I just increased the buffer size - which is not really a fix. If there are boring sessions next week in Prague, I might find some time to hack together something more reasonable.

I have updated the svn repository.

/js