X-Git-Url: http://git.marmaro.de/?a=blobdiff_plain;f=sbr%2Fm_getfld.c;h=ecbbd3c50966dbebae2a496bca281868b02e20c3;hb=3bf07d227725f798f654ac09f015f35d27ab83cb;hp=bbf11fed6dc877abc72650d5f1bebfd49cac8c2f;hpb=8b4410a1f3cb75e3d92b61176397655d509f81ee;p=mmh

diff --git a/sbr/m_getfld.c b/sbr/m_getfld.c
index bbf11fe..ecbbd3c 100644
--- a/sbr/m_getfld.c
+++ b/sbr/m_getfld.c
@@ -346,7 +346,7 @@ m_getfld (int state, unsigned char *name, unsigned char *buf,
 		}
 		if ((i -= j) <= 0) {
 		    *cp = *buf = 0;
-		    advise (NULL, "field name \"%s\" exceeds %d bytes", name, NAMESZ - 1);
+		    advise (NULL, "field name \"%s\" exceeds %d bytes", name, NAMESZ - 2);
 		    state = LENERR;
 		    goto finish;
 		}
@@ -522,22 +522,35 @@ m_getfld (int state, unsigned char *name, unsigned char *buf,
 		    ep = bp + c - 1;
 		    if ((sp = pat_map[*ep])) {
 			do {
-			    cp = sp;
-			    while (*--ep == *--cp)
-			    ;
-			    if (cp < fdelim) {
-				if (ep >= bp)
-				    /*
-				     * ep < bp means that all the buffer
-				     * contains is a prefix of delim.
-				     * If this prefix is really a delim, the
-				     * m_eom call at entry should have found
-				     * it.  Thus it's not a delim and we can
-				     * take all of it.
+			    /* This if() is true unless (a) the buffer is too
+			     * small to contain this delimiter prefix, or
+			     * (b) it contains exactly enough chars for the
+			     * delimiter prefix.
+			     * For case (a) obviously we aren't going to match.
+			     * For case (b), if the buffer really contained exactly
+			     * a delim prefix, then the m_eom call at entry
+			     * should have found it.  Thus it's not a delim
+			     * and we know we won't get a match.
+			     */
+			    if (((sp - fdelim) + 2) <= c) {
+				cp = sp;
+				/* Unfortunately although fdelim has a preceding NUL
+				 * we can't use this as a sentinel in case the buffer
+				 * contains a NUL in exactly the wrong place (this
+				 * would cause us to run off the front of fdelim).
+				 */
+				while (*--ep == *--cp)
+				    if (cp < fdelim)
+					break;
+				if (cp < fdelim) {
+				    /* we matched the entire delim prefix,
+				     * so only take the buffer up to there.
+				     * we know ep >= bp -- check above prevents underrun
 				     */
 				    c = (ep - bp) + 2;
-			    break;
-			}
+				    break;
+				}
+			    }
 			    /* try matching one less char of delim string */
 			    ep = bp + c - 1;
 			} while (--sp > fdelim);