From f761cef5c897036cd9ce2d8af313dcf930327ed6 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 1 Apr 2003 14:58:55 +0000
Subject: [PATCH] oflow detection in expand_prompt() was faulty (false
 positives). The count was based on strlcat() return value which includes the
 length of the entire string.

---
 check.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/check.c b/check.c
index 4535b575f..e2eb7b20d 100644
--- a/check.c
+++ b/check.c
@@ -216,32 +216,35 @@ expand_prompt(old_prompt, user, host)
 
     if (subst) {
 	new_prompt = (char *) emalloc(++len);
-	*new_prompt = '\0';
-	endp = new_prompt + len - 1;
+	endp = new_prompt + len;
 	for (p = old_prompt, np = new_prompt; *p; p++) {
 	    if (p[0] =='%') {
 		switch (p[1]) {
 		    case 'h':
 			p++;
-			if ((n = strlcat(new_prompt, user_shost, len)) >= len)
+			n = strlcpy(np, user_shost, np - endp);
+			if (n >= np - endp)
 			    goto oflow;
 			np += n;
 			continue;
 		    case 'H':
 			p++;
-			if ((n = strlcat(new_prompt, user_host, len)) >= len)
+			n = strlcpy(np, user_host, np - endp);
+			if (n >= np - endp)
 			    goto oflow;
 			np += n;
 			continue;
 		    case 'u':
 			p++;
-			if ((n = strlcat(new_prompt, user_name, len)) >= len)
+			n = strlcpy(np, user_name, np - endp);
+			if (n >= np - endp)
 			    goto oflow;
 			np += n;
 			continue;
 		    case 'U':
 			p++;
-			if ((n = strlcat(new_prompt, *user_runas, len)) >= len)
+			n = strlcpy(np,  *user_runas, np - endp);
+			if (n >= np - endp)
 			    goto oflow;
 			np += n;
 			continue;
@@ -254,9 +257,9 @@ expand_prompt(old_prompt, user, host)
 			break;
 		}
 	    }
+	    *np++ = *p;
 	    if (np >= endp)
 		goto oflow;
-	    *np++ = *p;
 	}
 	*np = '\0';
     } else
-- 
2.40.0