From 7efe03cf0552234852be6e4537c5fe0ce0c6841c Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <lfleischer@calcurse.org>
Date: Sat, 26 May 2018 12:03:03 +0200
Subject: Fix buffer overflow in keys_action_allkeys()

Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
---
 src/keys.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/keys.c b/src/keys.c
index 8bafd66..578c973 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -452,18 +452,23 @@ char *keys_action_allkeys(enum key action)
 {
 	llist_item_t *i;
 	static char keystr[BUFSIZ];
-	const char *CHAR_SPACE = " ";
+	int keystrlen = 0;
+	int entrylen;
 
 	if (!LLIST_FIRST(&keys[action]))
 		return NULL;
 
 	keystr[0] = '\0';
 	LLIST_FOREACH(&keys[action], i) {
-		const int MAXLEN = sizeof(keystr) - 1 - strlen(keystr);
-		strncat(keystr, LLIST_GET_DATA(i), MAXLEN - 1);
-		strncat(keystr, CHAR_SPACE, 1);
+		entrylen = strlen(LLIST_GET_DATA(i)) + 1;
+		if (keystrlen + entrylen >= BUFSIZ)
+			break;
+		memcpy(keystr + keystrlen, LLIST_GET_DATA(i), entrylen - 1);
+		keystr[keystrlen + entrylen - 1] = ' ';
+		keystrlen += entrylen;
 	}
 
+	keystr[keystrlen] = '\0';
 	return keystr;
 }
 
-- 
cgit v1.2.3-70-g09d2