Author: Andreas Tille <tille@debian.org>
Last-Update: Mon, 14 Dec 2015 16:44:19 +0100
Bug-Debian: http://bugs.debian.org/715701,
            http://bugs.debian.org/715702
Description: Fix crashes reported by Mayhem
 See http://www.drpaulcarter.com/cs/common-c-errors.php#4.1
 to make fgetc() more safe.  However, the original problem is
 that for empty strings no space at all is allocated.  This is
 now done in advance.

--- a/src/ICM/build-fixed.cc
+++ b/src/ICM/build-fixed.cc
@@ -234,20 +234,24 @@ static int  Read_String
   {
    int  ch, ct;
 
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      ;
 
    if  (ch == EOF)
        return  FALSE;
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
      ;
    if  (ch == EOF)
        return  FALSE;
-   if  (ch != '\n' && ! isspace (ch))
+   if  (ch != ((int) '\n') && ! isspace (ch))
        ungetc (ch, fp);
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
+   if (tag_size == 0 ) {
+       tag_size += INCR_SIZE;
+       tag = (char *) Safe_realloc (tag, tag_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
      {
       if  (ct >= tag_size - 1)
           {
@@ -259,7 +263,11 @@ static int  Read_String
    tag [ct ++] = '\0';
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   if (s_size == 0) {
+      s_size += INCR_SIZE;
+      s = (char *) Safe_realloc (s, s_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      {
       if  (isspace (ch))
           continue;
--- a/src/ICM/build-icm.cc
+++ b/src/ICM/build-icm.cc
@@ -271,20 +271,24 @@ static int  Read_String
   {
    int  ch, ct;
 
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      ;
 
    if  (ch == EOF)
        return  FALSE;
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
      ;
    if  (ch == EOF)
        return  FALSE;
    if  (ch != '\n' && ! isspace (ch))
        ungetc (ch, fp);
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
+   if (tag_size == 0) {
+       tag_size += INCR_SIZE;
+       tag = (char *) Safe_realloc (tag, tag_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
      {
       if  (ct >= tag_size - 1)
           {
@@ -296,7 +300,11 @@ static int  Read_String
    tag [ct ++] = '\0';
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   if (s_size == 0) {
+       s_size += INCR_SIZE;
+       s = (char *) Safe_realloc (s, s_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      {
       if  (isspace (ch))
           continue;
--- a/src/ICM/score-fixed.cc
+++ b/src/ICM/score-fixed.cc
@@ -163,20 +163,24 @@ int  Read_String
   {
    int  ch, ct;
 
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      ;
 
    if  (ch == EOF)
        return  FALSE;
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n' && isspace (ch))
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n') && isspace (ch))
      ;
    if  (ch == EOF)
        return  FALSE;
    if  (ch != '\n' && ! isspace (ch))
        ungetc (ch, fp);
-   while  ((ch = fgetc (fp)) != EOF && ch != '\n')
+   if (tag_size == 0 ) {
+       tag_size += INCR_SIZE;
+       tag = (char *) Safe_realloc (tag, tag_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '\n'))
      {
       if  (ct >= tag_size - 1)
           {
@@ -188,7 +192,11 @@ int  Read_String
    tag [ct ++] = '\0';
 
    ct = 0;
-   while  ((ch = fgetc (fp)) != EOF && ch != '>')
+   if (s_size == 0) {
+      s_size += INCR_SIZE;
+      s = (char *) Safe_realloc (s, s_size);
+   }
+   while  ((ch = fgetc (fp)) != EOF && ch != ((int) '>'))
      {
       if  (isspace (ch))
           continue;