From 8f7235152973cf2de36ae14ab61474a8f140701b Mon Sep 17 00:00:00 2001
From: Ben Kibbey <bjk@luxsci.net>
Date: Sat, 21 Sep 2013 00:56:02 -0400
Subject: [PATCH] Fix potential buffer overrun when building the help message
 box.

---
 src/cboard.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/cboard.c b/src/cboard.c
index dfba299..dd8c9d7 100644
--- a/src/cboard.c
+++ b/src/cboard.c
@@ -2929,6 +2929,8 @@ static wchar_t *build_help(struct key_s **keys)
 		nlen = wcslen(keys[i]->key);
 		t += nlen;
 	    }
+	    else
+		t++;
 	}
 	else
 	    t++;
@@ -2942,8 +2944,8 @@ static wchar_t *build_help(struct key_s **keys)
 	t += keys[i]->r;
     }
 
-    t += 4 + i;
-    buf = Malloc(t*sizeof(wchar_t));
+    t += 4 + i + 1;
+    buf = Malloc((t+1)*sizeof(wchar_t));
     p = buf;
 
     for (i = 0; keys[i]; i++) {
@@ -2961,7 +2963,7 @@ static wchar_t *build_help(struct key_s **keys)
 	*p = 0;
 
 	if (keys[i]->key) {
-	    wcscat(buf, keys[i]->key);
+	    wcsncat(buf, keys[i]->key, t-1);
 	    p = buf + wcslen(buf);
 	}
 	else
@@ -2973,11 +2975,11 @@ static wchar_t *build_help(struct key_s **keys)
 	*p = 0;
 
 	if (keys[i]->d)
-	    wcscat(buf, keys[i]->d);
+	    wcsncat(buf, keys[i]->d, t-1);
 
 	if (keys[i]->r) {
 	    wc = str_to_wchar ("*");
-	    wcscat(buf, wc);
+	    wcsncat(buf, wc, t-1);
 	    free (wc);
 	}
 
-- 
2.11.4.GIT