$NetBSD: patch-aa,v 1.3 2006/03/07 02:30:41 joerg Exp $

--- src/conf.c.orig	2004-11-07 20:18:21.000000000 +0100
+++ src/conf.c
@@ -721,14 +721,12 @@ spifconf_shell_expand(spif_charptr_t s)
 
 /* The config file reader.  This looks for the config file by searching CONFIG_SEARCH_PATH.
    If it can't find a config file, it displays a warning but continues. -- mej */
-
 spif_charptr_t 
 spifconf_find_file(const spif_charptr_t file, const spif_charptr_t dir, const spif_charptr_t pathlist)
 {
     static spif_char_t name[PATH_MAX], full_path[PATH_MAX];
     spif_charptr_t path, p;
-    short maxpathlen;
-    unsigned short len;
+    spif_int32_t len, maxpathlen;
     struct stat fst;
 
     REQUIRE_RVAL(file != NULL, NULL);
@@ -737,6 +735,13 @@ spifconf_find_file(const spif_charptr_t 
     D_CONF(("spifconf_find_file(\"%s\", \"%s\", \"%s\") called from directory \"%s\".\n",
             file, NONULL(dir), NONULL(pathlist), name));
 
+    /* Make sure our supplied settings don't overflow. */
+    len = strlen(SPIF_CAST_C(char *) file) + ((dir) ? (strlen(SPIF_CAST_C(char *) dir)) : (0)) + 2;
+    if ((len > SPIF_CAST(int32) sizeof(name)) || (len <= 0)) {
+        D_CONF(("Too big.  I lose. :(\n"));
+        return ((spif_charptr_t) NULL);
+    }
+
     if (dir) {
         strcpy(SPIF_CAST_C(char *) name, SPIF_CAST_C(char *) dir);
         strcat(SPIF_CAST_C(char *) name, "/");
@@ -756,7 +761,7 @@ spifconf_find_file(const spif_charptr_t 
     /* maxpathlen is the longest possible path we can stuff into name[].  The - 2 saves room for
        an additional / and the trailing null. */
     if ((maxpathlen = sizeof(name) - len - 2) <= 0) {
-        D_CONF(("Too big.  I lose. :(\n", name));
+        D_CONF(("Too big.  I lose. :(\n"));
         return ((spif_charptr_t) NULL);
     }
 
@@ -827,10 +832,12 @@ spifconf_open_file(spif_charptr_t name)
     /* Check version number against current application version. */
     begin_ptr = SPIF_STR_STR(ver_str) + spif_str_index(ver_str, SPIF_CAST(char) '-') + 1;
     end_ptr = SPIF_STR_STR(ver_str) + spif_str_index(ver_str, SPIF_CAST(char) '>');
+    D_CONF(("Begin pointer is %10p (%s), end pointer is %10p (%s), length is %d, buffer size is %d\n",
+            begin_ptr, begin_ptr, end_ptr, end_ptr, SPIF_CAST_C(int) (end_ptr - begin_ptr), sizeof(buff)));
     if (SPIF_PTR_ISNULL(end_ptr)) {
         spiftool_safe_strncpy(buff, begin_ptr, sizeof(buff));
     } else {
-        testlen = MAX(SPIF_CAST_C(int) sizeof(buff), SPIF_CAST_C(int) (end_ptr - begin_ptr));
+        testlen = MIN(SPIF_CAST_C(int) sizeof(buff), SPIF_CAST_C(int) (end_ptr - begin_ptr + 1));
         spiftool_safe_strncpy(buff, begin_ptr, testlen);
     }
     ver = spiftool_version_compare(buff, libast_program_version);