# HG changeset patch
# User Carl Byington <carl@five-ten-sg.com>
# Date 1467825469 25200
# Node ID 544d57fe6bc6fd49dc4ed76559ab1b9f0d5cabc4
# Parent  fec7f4fca71320bfd2eecad53a2307417d195a6e
From Jeffrey Morlan:

try_fork in readpst.c doesn't check that active_children <
max_children before forking a child and adding it to the array. This can
cause a buffer overflow.

diff -r fec7f4fca713 -r 544d57fe6bc6 src/readpst.c
--- a/src/readpst.c	Wed Jul 06 10:15:28 2016 -0700
+++ b/src/readpst.c	Wed Jul 06 10:17:49 2016 -0700
@@ -203,7 +203,8 @@
 #ifdef HAVE_FORK
 #ifdef HAVE_SEMAPHORE_H
     int available = grim_reaper(0);
-    if (available) {
+    // If children have called sem_post but not exited yet, we could have available > 0 but active_children == max_children
+    if (available && active_children < max_children) {
         sem_wait(global_children);
         pid_t child = fork();
         if (child < 0) {