Fix buffer overflow in mutt_FormatString()

The variable in question is supposed to track string sizes, not string
widths (closes #2882 and #2900).

diff --git a/muttlib.c b/muttlib.c
index ccfc86959c10e6c4dcbcb0acf1f233b73a9a2a03..67d82dc47846e82b6205b35a8c05f4384ae82fe2 100644 (file)
--- a/muttlib.c
+++ b/muttlib.c
@@ -1205,7 +1205,7 @@ void mutt_FormatString (char *dest,               /* output buffer */
        count = (COLS < destlen ? COLS : destlen);
        if (count > col)
        {
-         count -= col; /* how many columns left on this line */
+         count -= wlen; /* how many byte left for this line's buffer */
          mutt_FormatString (buf, sizeof (buf), 0, src, callback, data, flags);
          len = mutt_strlen (buf);
          wid = mutt_strwidth (buf);
@@ -1222,7 +1222,7 @@ void mutt_FormatString (char *dest,               /* output buffer */
          memcpy (wptr, buf, len);
          wptr += len;
          wlen += len;
-         col += mutt_strwidth (buf);
+         col += wid;
        }
        break; /* skip rest of input */
       }