From b0c1c7979f9f8b789311fefe96d525b16a4eb915 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 8 Nov 2008 15:40:33 +0000
Subject: [PATCH] The loop in fill_cmnd() was going one byte too far past the
 end, resulting in a NUL being written immediately after the buffer end.

---
 toke.c | 2 +-
 toke.l | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/toke.c b/toke.c
index 03541b351..21e2a5ccc 100644
--- a/toke.c
+++ b/toke.c
@@ -3124,7 +3124,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
 	yyerror("unable to allocate memory");
 	return(FALSE);
diff --git a/toke.l b/toke.l
index 353ab2d11..1a81fe0b3 100644
--- a/toke.l
+++ b/toke.l
@@ -543,7 +543,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
 	yyerror("unable to allocate memory");
 	return(FALSE);
-- 
2.40.0