From 05809b3647bfcb8d653fe8bb01f0f59226f6a6b4 Mon Sep 17 00:00:00 2001
From: Fumitoshi UKAI <ukai@debian.or.jp>
Date: Tue, 20 Nov 2001 13:17:13 +0000
Subject: fix possible buffer overrun

---
 ChangeLog |  4 ++++
 frame.c   | 10 +++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index cad3736..b8ca67c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2001-11-20  Kiyokazu SUTO <suto@ks-and-ks.ne.jp>
+
+	* frame.c (newFrameSet): fix possible buffer overrun
+
 2001-11-20  Fumitoshi UKAI  <ukai@debian.or.jp>
 
 	* XXMakefile config.h: removed from CVS
diff --git a/frame.c b/frame.c
index 9068325..5850f7f 100644
--- a/frame.c
+++ b/frame.c
@@ -1,4 +1,4 @@
-/* $Id: frame.c,v 1.4 2001/11/16 22:02:00 ukai Exp $ */
+/* $Id: frame.c,v 1.5 2001/11/20 13:17:13 ukai Exp $ */
 #include "fm.h"
 #include "parsetagx.h"
 #include "myctype.h"
@@ -38,8 +38,10 @@ newFrameSet(struct parsed_tag *tag)
     if (cols) {
 	length[i] = p = cols;
 	while (*p != '\0')
-	    if (*p++ == ',')
+	    if (*p++ == ',') {
 		length[++i] = p;
+		if (i >= sizeof(length) / sizeof(length[0]) - 2) break;
+	    }
 	length[++i] = p + 1;
     }
     if (i > 1) {
@@ -74,8 +76,10 @@ newFrameSet(struct parsed_tag *tag)
     if (rows) {
 	length[i] = p = rows;
 	while (*p != '\0')
-	    if (*p++ == ',')
+	    if (*p++ == ',') {
 		length[++i] = p;
+		if (i >= sizeof(length) / sizeof(length[0]) - 2) break;
+	    }
 	length[++i] = p + 1;
     }
     if (i > 1) {
-- 
cgit v1.2.3