From: Rocco Rutte <pdmef@gmx.net>
Date: Wed, 5 Sep 2007 06:56:25 +0000 (+0000)
Subject: Fix buffer overflow in mutt_FormatString()
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b99fa8af8f6684b42411c39df7d9d4146d118d5a;p=neomutt

Fix buffer overflow in mutt_FormatString()

The variable in question is supposed to track string sizes, not string
widths (closes #2882 and #2900).
---

diff --git a/muttlib.c b/muttlib.c
index ccfc86959..67d82dc47 100644
--- a/muttlib.c
+++ b/muttlib.c
@@ -1205,7 +1205,7 @@ void mutt_FormatString (char *dest,		/* output buffer */
 	count = (COLS < destlen ? COLS : destlen);
 	if (count > col)
 	{
-	  count -= col; /* how many columns left on this line */
+	  count -= wlen; /* how many byte left for this line's buffer */
 	  mutt_FormatString (buf, sizeof (buf), 0, src, callback, data, flags);
 	  len = mutt_strlen (buf);
 	  wid = mutt_strwidth (buf);
@@ -1222,7 +1222,7 @@ void mutt_FormatString (char *dest,		/* output buffer */
 	  memcpy (wptr, buf, len);
 	  wptr += len;
 	  wlen += len;
-	  col += mutt_strwidth (buf);
+	  col += wid;
 	}
 	break; /* skip rest of input */
       }