From 93d06b03c98d8c38f5aea790b70a4b84f2acee25 Mon Sep 17 00:00:00 2001
From: Kevin Easton <keaston@users.sourceforge.net>
Date: Wed, 5 Nov 2014 09:32:46 +0000
Subject: [PATCH] Fix overflow in say() when handling a client message over the
 maximum.

This was noticed when /channel on a very large channel segfaulted.


git-svn-id: svn://svn.code.sf.net/p/bitchx/code/trunk@528 13b04d17-f746-0410-82c6-800466cd88b0
---
 Changelog       |  2 ++
 source/output.c | 17 ++++++++---------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/Changelog b/Changelog
index 1b0e6b9..20df177 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,7 @@
 [Changes 1.2c01]
 
+* Fix overflow in say() when handling a maximum-length client message. (caf)
+
 * Remove WANT_CHAN_NICK_SERV define and include network services commands 
   by default. (caf)
 
diff --git a/source/output.c b/source/output.c
index ddd7591..a176cca 100644
--- a/source/output.c
+++ b/source/output.c
@@ -194,22 +194,21 @@ void BX_put_it(const char *format, ...)
  */
 void say (const char *format, ...)
 {
-int len = 0;
 	if (window_display && format)
 	{
+		size_t len;
 		va_list args;
+
+		snprintf(putbuf, LARGE_BIG_BUFFER_SIZE, "%s ", thing_ansi ? thing_ansi : three_stars);
+		len = strlen(putbuf);
+
 		va_start (args, format);
-		if (thing_ansi)
-			len = strlen(thing_ansi);
-		else
-			len = 3;
-		vsnprintf(&(putbuf[len+1]), LARGE_BIG_BUFFER_SIZE, format, args);
+		vsnprintf(putbuf + len, LARGE_BIG_BUFFER_SIZE - len, format, args);
 		va_end(args);
-		strcpy(putbuf, thing_ansi?thing_ansi:three_stars);
-		putbuf[len] = ' ';
+
 		if (strip_ansi_in_echo) 
 		{
-			register char *ptr;
+			char *ptr;
 			for (ptr = putbuf + len; *ptr; ptr++)
 				if (*ptr < 31 && *ptr > 13)
 					if (*ptr != 15 && *ptr != 22)