Ubuntu
bwbasic package

  1. Bug #424597
  2. Comment #3

Comment 3 for bug 424597

Revision history for this message
Kees Cook (kees) wrote :

On examination, it seems that exp_getvfname() has no length-checking, so
the exp_isufn() "tbuf" variable is overflowed if "expression" is longer
than MAXVARNAMESIZE (40).