potential buffer overflow in append_str

fixes #524

diff --git a/src/pager.c b/src/pager.c
index 9f8cf059a7b13346811bccf90aa98818c458c678..73e1a70bde5abacfac1120e2ca1a894b65fd203f 100644 (file)
--- a/src/pager.c
+++ b/src/pager.c
@@ -60,16 +60,18 @@ is_swallow_sym(int c)
 static int
 append_str(char *buf, const char *new_str)
 {
-    int space_left; /* space remaining in buf */
+    size_t size2append, space_left;
+    const char sep[] = " or ";
 
     if (strstri(buf, new_str))
         return 0;
 
-    space_left = BUFSZ - strlen(buf) - 1;
-    if (space_left < 1)
+    space_left = BUFSZ - strlen(buf);  /* space remaining in buf */
+    size2append = strlen(new_str) + sizeof sep; /* latter includes '\0' */
+    if (space_left < size2append)
         return 0;
-    (void) strncat(buf, " or ", space_left);
-    (void) strncat(buf, new_str, space_left - 4);
+    Strcat(buf, sep);
+    Strcat(buf, new_str);
     return 1;
 }